From 8002034e6b11e9be85671505475936b1ec3705b3 Mon Sep 17 00:00:00 2001
From: Yurii Zubrytskyi <zyy@google.com>
Date: Mon, 29 Nov 2021 23:55:24 -0800
Subject: Add missing size check when parsing staged aliases

Need to have the same kind of data size check as in other
types parsing

Bug: 203938029
Test: manual
Change-Id: I9f5d2851ff59da90163ead6c0416f0bba3868cc4
---
 libs/androidfw/LoadedArsc.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libs/androidfw/LoadedArsc.cpp')

diff --git a/libs/androidfw/LoadedArsc.cpp b/libs/androidfw/LoadedArsc.cpp
index d17c32817994..8150e78fdddc 100644
--- a/libs/androidfw/LoadedArsc.cpp
+++ b/libs/androidfw/LoadedArsc.cpp
@@ -686,6 +686,12 @@ std::unique_ptr<const LoadedPackage> LoadedPackage::Load(const Chunk& chunk,
         std::unordered_set<uint32_t> finalized_ids;
         const auto lib_alias = child_chunk.header<ResTable_staged_alias_header>();
         if (!lib_alias) {
+          LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small.";
+          return {};
+        }
+        if ((child_chunk.data_size() / sizeof(ResTable_staged_alias_entry))
+            < dtohl(lib_alias->count)) {
+          LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small to hold entries.";
           return {};
         }
         const auto entry_begin = child_chunk.data_ptr().convert<ResTable_staged_alias_entry>();
-- 
cgit v1.2.3-59-g8ed1b