Fix overly large allocation

Summary: Avoid malformed dex bytecode leading to outsized allocation. Drive-by fix previous overflow check. Reviewed By: NTillmann Differential Revision: D47485538 fbshipit-source-id: 04101af342fff87481f68a608619d3be84d20a0b
SeeYouOneDayDay · Jul 17, 2023 · b6f3110 · b6f3110
1 parent f9defa6
commit b6f3110
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/libredex/DexIdx.cpp b/libredex/DexIdx.cpp
@@ -7,6 +7,7 @@
 
 #include "DexIdx.h"
 
+#include <limits>
 #include <sstream>
 
 #include "DexAnnotation.h"
@@ -158,6 +159,9 @@ DexTypeList* DexIdx::get_type_list(uint32_t offset) {
   }
   const uint32_t* tlp = get_uint_data(offset);
   uint32_t size = *tlp++;
+  // T137425749
+  redex_assert(size < get_file_size() / 2);
+  redex_assert(offset <= get_file_size() - 2 * size);
   const uint16_t* typep = (const uint16_t*)tlp;
   DexTypeList::ContainerType tlist;
   tlist.reserve(size);

diff --git a/libredex/DexIdx.h b/libredex/DexIdx.h
@@ -168,13 +168,16 @@ class DexIdx {
     return m_proto_cache[pidx];
   }
 
+  uint32_t get_file_size() const { return ((dex_header*)m_dexbase)->file_size; }
+
   const uint32_t* get_uint_data(uint32_t offset) {
-    always_assert(offset < ((dex_header*)m_dexbase)->file_size);
+    always_assert(offset < offset + 4);
+    always_assert(offset + 4 <= get_file_size());
     return (uint32_t*)(m_dexbase + offset);
   }
 
   const uint8_t* get_uleb_data(uint32_t offset) {
-    always_assert(offset < ((dex_header*)m_dexbase)->file_size);
+    always_assert(offset < get_file_size()); // Best effort.
     return m_dexbase + offset;
   }