From 8e864bff9eadc749981db3c832d65c7ce909b5d3 Mon Sep 17 00:00:00 2001
From: Mathieu Chartier <mathieuc@google.com>
Date: Mon, 14 Mar 2016 11:02:59 -0700
Subject: [PATCH] Do not include image header in decompressed size

Could cause a buffer overflow since we told LZ4 to decompress more
bytes than necessary.

Bug: 27561308

(cherry picked from commit 324eb2c6b049f1677133f0b708730e904c5e73ab)

Change-Id: I524c03b8f0e8a84814dbd8678285184e9d4da9f1
---
 runtime/gc/space/image_space.cc | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/runtime/gc/space/image_space.cc b/runtime/gc/space/image_space.cc
index 9ecd391e4..b4b1f39d5 100644
--- a/runtime/gc/space/image_space.cc
+++ b/runtime/gc/space/image_space.cc
@@ -1283,7 +1283,7 @@ ImageSpace* ImageSpace::Init(const char* image_filename,
                                      /*out*/out_error_msg));
       if (map != nullptr) {
         const size_t stored_size = image_header->GetDataSize();
-        const size_t write_offset = sizeof(ImageHeader);  // Skip the header.
+        const size_t decompress_offset = sizeof(ImageHeader);  // Skip the header.
         std::unique_ptr<MemMap> temp_map(MemMap::MapFile(sizeof(ImageHeader) + stored_size,
                                                          PROT_READ,
                                                          MAP_PRIVATE,
@@ -1302,14 +1302,15 @@ ImageSpace* ImageSpace::Init(const char* image_filename,
         TimingLogger::ScopedTiming timing2("LZ4 decompress image", &logger);
         const size_t decompressed_size = LZ4_decompress_safe(
             reinterpret_cast<char*>(temp_map->Begin()) + sizeof(ImageHeader),
-            reinterpret_cast<char*>(map->Begin()) + write_offset,
+            reinterpret_cast<char*>(map->Begin()) + decompress_offset,
             stored_size,
-            map->Size());
+            map->Size() - decompress_offset);
         VLOG(image) << "Decompressing image took " << PrettyDuration(NanoTime() - start);
         if (decompressed_size + sizeof(ImageHeader) != image_header->GetImageSize()) {
-          *error_msg = StringPrintf("Decompressed size does not match expected image size %zu vs %zu",
-                                    decompressed_size + sizeof(ImageHeader),
-                                    image_header->GetImageSize());
+          *error_msg = StringPrintf(
+              "Decompressed size does not match expected image size %zu vs %zu",
+              decompressed_size + sizeof(ImageHeader),
+              image_header->GetImageSize());
           return nullptr;
         }
       }
-- 
2.11.0