ART: Fix DexFileVerifier try_items OoO validation
DexFileVerifier::CheckIntraCodeItem() implements an out of order
validation for CodeItem try_items. try_items_size is validated for
sanity via CheckListSize() at dex_file_verifier.cc:800, although
handlers_size ULEB128 read (offset calculated from tries_size_) occurs
before at lines 797-798.
An out of bounds (wild) read will occur for invalid try_items_size at
parsed DEX file.
handlers_size read has been moved after try_items validation to resolve
this OoO issue.
Bug: 21307613
Bug: https://code.google.com/p/android/issues/detail?id=178592
Change-Id: I94d00819ee9a465f57ba9a1fdfdd356979e35ed7
diff --git a/runtime/dex_file_verifier.cc b/runtime/dex_file_verifier.cc
index 90b8fdb..eec4983 100644
--- a/runtime/dex_file_verifier.cc
+++ b/runtime/dex_file_verifier.cc
@@ -794,13 +794,13 @@
}
const DexFile::TryItem* try_items = DexFile::GetTryItems(*code_item, 0);
- ptr_ = DexFile::GetCatchHandlerData(*code_item, 0);
- uint32_t handlers_size = DecodeUnsignedLeb128(&ptr_);
-
if (!CheckListSize(try_items, try_items_size, sizeof(DexFile::TryItem), "try_items size")) {
return false;
}
+ ptr_ = DexFile::GetCatchHandlerData(*code_item, 0);
+ uint32_t handlers_size = DecodeUnsignedLeb128(&ptr_);
+
if (UNLIKELY((handlers_size == 0) || (handlers_size >= 65536))) {
ErrorStringPrintf("Invalid handlers_size: %ud", handlers_size);
return false;