commit 6a8df53d90e47e3256faf7ff0caed0acf377b99b
author Anestis Bechtsoudis <anestis@census-labs.com> Sun Jul 12 12:51:35 2015 -0500
committer Anestis Bechtsoudis <anestis@census-labs.com> Mon Jul 13 11:10:59 2015 -0500
tree c6f80a9ec56dc205c803779f35822deea7f0a587
parent d4da360082e8eadcd12b5030f42a9ba598332471

ART: Fix DexFileVerifier try_items OoO validation

DexFileVerifier::CheckIntraCodeItem() implements an out of order
validation for CodeItem try_items.  try_items_size is validated for
sanity via CheckListSize() at dex_file_verifier.cc:800, although
handlers_size ULEB128 read (offset calculated from tries_size_) occurs
before at lines 797-798.

An out of bounds (wild) read will occur for invalid try_items_size at
parsed DEX file.

handlers_size read has been moved after try_items validation to resolve
this OoO issue.

Bug: 21307613
Bug: https://code.google.com/p/android/issues/detail?id=178592
Change-Id: I94d00819ee9a465f57ba9a1fdfdd356979e35ed7

runtime/dex_file_verifier.cc

diff --git a/runtime/dex_file_verifier.cc b/runtime/dex_file_verifier.cc
index 90b8fdb..eec4983 100644
--- a/runtime/dex_file_verifier.cc
+++ b/runtime/dex_file_verifier.cc
@@ -794,13 +794,13 @@
   }
 
   const DexFile::TryItem* try_items = DexFile::GetTryItems(*code_item, 0);
-  ptr_ = DexFile::GetCatchHandlerData(*code_item, 0);
-  uint32_t handlers_size = DecodeUnsignedLeb128(&ptr_);
-
   if (!CheckListSize(try_items, try_items_size, sizeof(DexFile::TryItem), "try_items size")) {
     return false;
   }
 
+  ptr_ = DexFile::GetCatchHandlerData(*code_item, 0);
+  uint32_t handlers_size = DecodeUnsignedLeb128(&ptr_);
+
   if (UNLIKELY((handlers_size == 0) || (handlers_size >= 65536))) {
     ErrorStringPrintf("Invalid handlers_size: %ud", handlers_size);
     return false;