ART: Fix DexFileVerifier try_items OoO validation

DexFileVerifier::CheckIntraCodeItem() implements an out of order
validation for CodeItem try_items.  try_items_size is validated for
sanity via CheckListSize() at dex_file_verifier.cc:800, although
handlers_size ULEB128 read (offset calculated from tries_size_) occurs
before at lines 797-798.

An out of bounds (wild) read will occur for invalid try_items_size at
parsed DEX file.

handlers_size read has been moved after try_items validation to resolve
this OoO issue.

Bug: 21307613
Bug: https://code.google.com/p/android/issues/detail?id=178592
Change-Id: I94d00819ee9a465f57ba9a1fdfdd356979e35ed7

diff --git a/runtime/dex_file_verifier.cc b/runtime/dex_file_verifier.cc
index 90b8fdb..eec4983 100644 (file)
--- a/runtime/dex_file_verifier.cc
+++ b/runtime/dex_file_verifier.cc
@@ -794,13 +794,13 @@ bool DexFileVerifier::CheckIntraCodeItem() {
   }
 
   const DexFile::TryItem* try_items = DexFile::GetTryItems(*code_item, 0);
-  ptr_ = DexFile::GetCatchHandlerData(*code_item, 0);
-  uint32_t handlers_size = DecodeUnsignedLeb128(&ptr_);
-
   if (!CheckListSize(try_items, try_items_size, sizeof(DexFile::TryItem), "try_items size")) {
     return false;
   }
 
+  ptr_ = DexFile::GetCatchHandlerData(*code_item, 0);
+  uint32_t handlers_size = DecodeUnsignedLeb128(&ptr_);
+
   if (UNLIKELY((handlers_size == 0) || (handlers_size >= 65536))) {
     ErrorStringPrintf("Invalid handlers_size: %ud", handlers_size);
     return false;