DynamicRefTables parsed from apks are missing bounds checks that prevent
buffer overflows. This changes verifies the bounds of the header before
attempting to preform operations on the chunk.
Bug:
79488511
Test: run cts -m CtsAppSecurityHostTestCases \
-t android.appsecurity.cts.CorruptApkTests
Change-Id: I02c8ad957da244fce777ac68a482e4e8fa70f846
Merged-In: I02c8ad957da244fce777ac68a482e4e8fa70f846
(cherry picked from commit
18a6ada4aa136da4f50f03fff91d61d448ced195)
}
} else if (ctype == RES_TABLE_LIBRARY_TYPE) {
+
if (group->dynamicRefTable.entries().size() == 0) {
- status_t err = group->dynamicRefTable.load((const ResTable_lib_header*) chunk);
+ const ResTable_lib_header* lib = (const ResTable_lib_header*) chunk;
+ status_t err = validate_chunk(&lib->header, sizeof(*lib),
+ endPos, "ResTable_lib_header");
+ if (err != NO_ERROR) {
+ return (mError=err);
+ }
+
+ err = group->dynamicRefTable.load(lib);
if (err != NO_ERROR) {
return (mError=err);
}