Merge pull request #1044 from androguard/decode_past_file_length

reject decoding strings that are passing the string block in size
androguard · Apr 29, 2024 · ef5d45e · ef5d45e
2 parents 319c398 + 04e45e2
commit ef5d45e
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/androguard/core/axml/__init__.py b/androguard/core/axml/__init__.py
@@ -244,6 +244,13 @@ def _decode8(self, offset:int) -> str:
         encoded_bytes, skip = self._decode_length(offset, 1)
         offset += skip
 
+        # Two checks should happen here:
+        # a) offset + encoded_bytes surpassing the string_pool length and
+        # b) non-null terminated strings which should be rejected
+        # platform/frameworks/base/libs/androidfw/ResourceTypes.cpp#789
+        if len(self.m_charbuff) < (offset + encoded_bytes):
+            logger.warning(f"String size: {offset + encoded_bytes} is exceeding string pool size. Returning empty string.")
+            return ""
         data = self.m_charbuff[offset: offset + encoded_bytes]
 
         if self.m_charbuff[offset + encoded_bytes] != 0:
@@ -264,6 +271,14 @@ def _decode16(self, offset:int) -> str:
         # The len is the string len in utf-16 units
         encoded_bytes = str_len * 2
 
+        # Two checks should happen here:
+        # a) offset + encoded_bytes surpassing the string_pool length and
+        # b) non-null terminated strings which should be rejected
+        # platform/frameworks/base/libs/androidfw/ResourceTypes.cpp#789
+        if len(self.m_charbuff) < (offset + encoded_bytes):
+            logger.warning(f"String size: {offset + encoded_bytes} is exceeding string pool size. Returning empty string.")
+            return ""
+
         data = self.m_charbuff[offset: offset + encoded_bytes]
 
         if self.m_charbuff[offset + encoded_bytes:offset + encoded_bytes + 2] != b"\x00\x00":
@@ -835,7 +850,7 @@ def getAttributeName(self, index:int):
                                                                                ":")
                 if res != self.sb[name]:
                     self.packerwarning = True
-        
+
         if not res or res == ":":
             # Attach the HEX Number, so for multiple missing attributes we do not run
             # into problems.