[automerger] Fix DynamicRefTable::load security bug am: 8cf0f988b0 am: d65dbf91ce...

author Android Build Merger (Role) <noreply-android-build-merger@google.com>

Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)

committer Android Build Merger (Role) <noreply-android-build-merger@google.com>

Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)
author Android Build Merger (Role) <noreply-android-build-merger@google.com>
Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)
committer Android Build Merger (Role) <noreply-android-build-merger@google.com>
Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)
diff --git a/libs/androidfw/ResourceTypes.cpp b/libs/androidfw/ResourceTypes.cpp

index 9941e46..0ea0652 100644 (file)
--- a/libs/androidfw/ResourceTypes.cpp
+++ b/libs/androidfw/ResourceTypes.cpp
@@ -6220,8 +6220,16 @@ status_t ResTable::parsePackage(const ResTable_package* const pkg,
              }
  
          } else if (ctype == RES_TABLE_LIBRARY_TYPE) {
+
              if (group->dynamicRefTable.entries().size() == 0) {
-                status_t err = group->dynamicRefTable.load((const ResTable_lib_header*) chunk);
+                const ResTable_lib_header* lib = (const ResTable_lib_header*) chunk;
+                status_t err = validate_chunk(&lib->header, sizeof(*lib),
+                                              endPos, "ResTable_lib_header");
+                if (err != NO_ERROR) {
+                    return (mError=err);
+                }
+
+                err = group->dynamicRefTable.load(lib);
                  if (err != NO_ERROR) {
                      return (mError=err);
                  }
author	Android Build Merger (Role) <noreply-android-build-merger@google.com>
	Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)
committer	Android Build Merger (Role) <noreply-android-build-merger@google.com>
	Wed, 6 Jun 2018 17:12:18 +0000 (17:12 +0000)