Add the protection to avoid Integer overflow in BinaryXmlSerializer.java
Ignore-AOSP-First: security vulnerabilities
Bug: 307288067
Test: atest BinaryXmlTest
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8207203d4ee4210032a5d4e94d3cbf4635d7a890)
Merged-In: Id52bc0d0a0d46c3c31d9bb090466f8fbae4bd35a
Change-Id: Id52bc0d0a0d46c3c31d9bb090466f8fbae4bd35a
diff --git a/java/com/android/modules/utils/BinaryXmlSerializer.java b/java/com/android/modules/utils/BinaryXmlSerializer.java
index 7c0217e..9fdb818 100644
--- a/java/com/android/modules/utils/BinaryXmlSerializer.java
+++ b/java/com/android/modules/utils/BinaryXmlSerializer.java
@@ -16,6 +16,8 @@
package com.android.modules.utils;
+import static com.android.modules.utils.FastDataOutput.MAX_UNSIGNED_SHORT;
+
import static org.xmlpull.v1.XmlPullParser.CDSECT;
import static org.xmlpull.v1.XmlPullParser.COMMENT;
import static org.xmlpull.v1.XmlPullParser.DOCDECL;
@@ -224,6 +226,10 @@
if (namespace != null && !namespace.isEmpty()) throw illegalNamespace();
mOut.writeByte(ATTRIBUTE | TYPE_BYTES_HEX);
mOut.writeInternedUTF(name);
+ if (value.length > MAX_UNSIGNED_SHORT) {
+ throw new IOException("attributeBytesHex: input size (" + value.length
+ + ") exceeds maximum allowed size (" + MAX_UNSIGNED_SHORT + ")");
+ }
mOut.writeShort(value.length);
mOut.write(value);
return this;
@@ -235,6 +241,10 @@
if (namespace != null && !namespace.isEmpty()) throw illegalNamespace();
mOut.writeByte(ATTRIBUTE | TYPE_BYTES_BASE64);
mOut.writeInternedUTF(name);
+ if (value.length > MAX_UNSIGNED_SHORT) {
+ throw new IOException("attributeBytesBase64: input size (" + value.length
+ + ") exceeds maximum allowed size (" + MAX_UNSIGNED_SHORT + ")");
+ }
mOut.writeShort(value.length);
mOut.write(value);
return this;
