1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define ATRACE_TAG ATRACE_TAG_RESOURCES
18
19 #include "androidfw/LoadedArsc.h"
20
21 #include <algorithm>
22 #include <cstddef>
23 #include <limits>
24 #include <optional>
25
26 #include "android-base/logging.h"
27 #include "android-base/stringprintf.h"
28 #include "utils/ByteOrder.h"
29 #include "utils/Trace.h"
30
31 #ifdef _WIN32
32 #ifdef ERROR
33 #undef ERROR
34 #endif
35 #endif
36
37 #include "androidfw/Chunk.h"
38 #include "androidfw/ResourceUtils.h"
39 #include "androidfw/Util.h"
40
41 using android::base::StringPrintf;
42
43 namespace android {
44
45 constexpr const static int kFrameworkPackageId = 0x01;
46 constexpr const static int kAppPackageId = 0x7f;
47
48 namespace {
49
50 // Builder that helps accumulate Type structs and then create a single
51 // contiguous block of memory to store both the TypeSpec struct and
52 // the Type structs.
53 struct TypeSpecBuilder {
TypeSpecBuilderandroid::__anonf2330f980111::TypeSpecBuilder54 explicit TypeSpecBuilder(incfs::verified_map_ptr<ResTable_typeSpec> header) : header_(header) {
55 type_entries.reserve(dtohs(header_->typesCount));
56 }
57
AddTypeandroid::__anonf2330f980111::TypeSpecBuilder58 void AddType(incfs::verified_map_ptr<ResTable_type> type) {
59 TypeSpec::TypeEntry& entry = type_entries.emplace_back();
60 entry.config.copyFromDtoH(type->config);
61 entry.type = type;
62 }
63
Buildandroid::__anonf2330f980111::TypeSpecBuilder64 TypeSpec Build() {
65 type_entries.shrink_to_fit();
66 return {header_, std::move(type_entries)};
67 }
68
69 private:
70 DISALLOW_COPY_AND_ASSIGN(TypeSpecBuilder);
71
72 incfs::verified_map_ptr<ResTable_typeSpec> header_;
73 std::vector<TypeSpec::TypeEntry> type_entries;
74 };
75
76 } // namespace
77
78 // Precondition: The header passed in has already been verified, so reading any fields and trusting
79 // the ResChunk_header is safe.
VerifyResTableType(incfs::map_ptr<ResTable_type> header)80 static bool VerifyResTableType(incfs::map_ptr<ResTable_type> header) {
81 if (header->id == 0) {
82 LOG(ERROR) << "RES_TABLE_TYPE_TYPE has invalid ID 0.";
83 return false;
84 }
85
86 const size_t entry_count = dtohl(header->entryCount);
87 if (entry_count > std::numeric_limits<uint16_t>::max()) {
88 LOG(ERROR) << "RES_TABLE_TYPE_TYPE has too many entries (" << entry_count << ").";
89 return false;
90 }
91
92 // Make sure that there is enough room for the entry offsets.
93 const size_t offsets_offset = dtohs(header->header.headerSize);
94 const size_t entries_offset = dtohl(header->entriesStart);
95 const size_t offsets_length = header->flags & ResTable_type::FLAG_OFFSET16
96 ? sizeof(uint16_t) * entry_count
97 : sizeof(uint32_t) * entry_count;
98
99 if (offsets_offset > entries_offset || entries_offset - offsets_offset < offsets_length) {
100 LOG(ERROR) << "RES_TABLE_TYPE_TYPE entry offsets overlap actual entry data.";
101 return false;
102 }
103
104 if (entries_offset > dtohl(header->header.size)) {
105 LOG(ERROR) << "RES_TABLE_TYPE_TYPE entry offsets extend beyond chunk.";
106 return false;
107 }
108
109 if (entries_offset & 0x03U) {
110 LOG(ERROR) << "RES_TABLE_TYPE_TYPE entries start at unaligned address.";
111 return false;
112 }
113 return true;
114 }
115
116 static base::expected<incfs::verified_map_ptr<ResTable_entry>, NullOrIOError>
VerifyResTableEntry(incfs::verified_map_ptr<ResTable_type> type,uint32_t entry_offset)117 VerifyResTableEntry(incfs::verified_map_ptr<ResTable_type> type, uint32_t entry_offset) {
118 // Check that the offset is aligned.
119 if (UNLIKELY(entry_offset & 0x03U)) {
120 LOG(ERROR) << "Entry at offset " << entry_offset << " is not 4-byte aligned.";
121 return base::unexpected(std::nullopt);
122 }
123
124 // Check that the offset doesn't overflow.
125 if (UNLIKELY(entry_offset > std::numeric_limits<uint32_t>::max() - dtohl(type->entriesStart))) {
126 // Overflow in offset.
127 LOG(ERROR) << "Entry at offset " << entry_offset << " is too large.";
128 return base::unexpected(std::nullopt);
129 }
130
131 const size_t chunk_size = dtohl(type->header.size);
132
133 entry_offset += dtohl(type->entriesStart);
134 if (UNLIKELY(entry_offset > chunk_size - sizeof(ResTable_entry))) {
135 LOG(ERROR) << "Entry at offset " << entry_offset
136 << " is too large. No room for ResTable_entry.";
137 return base::unexpected(std::nullopt);
138 }
139
140 auto entry = type.offset(entry_offset).convert<ResTable_entry>();
141 if (UNLIKELY(!entry)) {
142 return base::unexpected(IOError::PAGES_MISSING);
143 }
144
145 const size_t entry_size = entry->size();
146 if (UNLIKELY(entry_size < sizeof(entry.value()))) {
147 LOG(ERROR) << "ResTable_entry size " << entry_size << " at offset " << entry_offset
148 << " is too small.";
149 return base::unexpected(std::nullopt);
150 }
151
152 if (UNLIKELY(entry_size > chunk_size || entry_offset > chunk_size - entry_size)) {
153 LOG(ERROR) << "ResTable_entry size " << entry_size << " at offset " << entry_offset
154 << " is too large.";
155 return base::unexpected(std::nullopt);
156 }
157
158 // If entry is compact, value is already encoded, and a compact entry
159 // cannot be a map_entry, we are done verifying
160 if (entry->is_compact())
161 return entry.verified();
162
163 if (entry_size < sizeof(ResTable_map_entry)) {
164 // There needs to be room for one Res_value struct.
165 if (UNLIKELY(entry_offset + entry_size > chunk_size - sizeof(Res_value))) {
166 LOG(ERROR) << "No room for Res_value after ResTable_entry at offset " << entry_offset
167 << " for type " << (int)type->id << ".";
168 return base::unexpected(std::nullopt);
169 }
170
171 auto value = entry.offset(entry_size).convert<Res_value>();
172 if (UNLIKELY(!value)) {
173 return base::unexpected(IOError::PAGES_MISSING);
174 }
175
176 const size_t value_size = dtohs(value->size);
177 if (UNLIKELY(value_size < sizeof(Res_value))) {
178 LOG(ERROR) << "Res_value at offset " << entry_offset << " is too small.";
179 return base::unexpected(std::nullopt);
180 }
181
182 if (UNLIKELY(value_size > chunk_size || entry_offset + entry_size > chunk_size - value_size)) {
183 LOG(ERROR) << "Res_value size " << value_size << " at offset " << entry_offset
184 << " is too large.";
185 return base::unexpected(std::nullopt);
186 }
187 } else {
188 auto map = entry.convert<ResTable_map_entry>();
189 if (UNLIKELY(!map)) {
190 return base::unexpected(IOError::PAGES_MISSING);
191 }
192
193 const size_t map_entry_count = dtohl(map->count);
194 size_t map_entries_start = entry_offset + entry_size;
195 if (UNLIKELY(map_entries_start & 0x03U)) {
196 LOG(ERROR) << "Map entries at offset " << entry_offset << " start at unaligned offset.";
197 return base::unexpected(std::nullopt);
198 }
199
200 // Each entry is sizeof(ResTable_map) big.
201 if (UNLIKELY(map_entry_count > ((chunk_size - map_entries_start) / sizeof(ResTable_map)))) {
202 LOG(ERROR) << "Too many map entries in ResTable_map_entry at offset " << entry_offset << ".";
203 return base::unexpected(std::nullopt);
204 }
205 }
206 return entry.verified();
207 }
208
iterator(const LoadedPackage * lp,size_t ti,size_t ei)209 LoadedPackage::iterator::iterator(const LoadedPackage* lp, size_t ti, size_t ei)
210 : loadedPackage_(lp),
211 typeIndex_(ti),
212 entryIndex_(ei),
213 typeIndexEnd_(lp->resource_ids_.size() + 1) {
214 while (typeIndex_ < typeIndexEnd_ && loadedPackage_->resource_ids_[typeIndex_] == 0) {
215 typeIndex_++;
216 }
217 }
218
operator ++()219 LoadedPackage::iterator& LoadedPackage::iterator::operator++() {
220 while (typeIndex_ < typeIndexEnd_) {
221 if (entryIndex_ + 1 < loadedPackage_->resource_ids_[typeIndex_]) {
222 entryIndex_++;
223 break;
224 }
225 entryIndex_ = 0;
226 typeIndex_++;
227 if (typeIndex_ < typeIndexEnd_ && loadedPackage_->resource_ids_[typeIndex_] != 0) {
228 break;
229 }
230 }
231 return *this;
232 }
233
operator *() const234 uint32_t LoadedPackage::iterator::operator*() const {
235 if (typeIndex_ >= typeIndexEnd_) {
236 return 0;
237 }
238 return make_resid(loadedPackage_->package_id_, typeIndex_ + loadedPackage_->type_id_offset_,
239 entryIndex_);
240 }
241
GetEntry(incfs::verified_map_ptr<ResTable_type> type_chunk,uint16_t entry_index)242 base::expected<incfs::verified_map_ptr<ResTable_entry>, NullOrIOError> LoadedPackage::GetEntry(
243 incfs::verified_map_ptr<ResTable_type> type_chunk, uint16_t entry_index) {
244 base::expected<uint32_t, NullOrIOError> entry_offset = GetEntryOffset(type_chunk, entry_index);
245 if (UNLIKELY(!entry_offset.has_value())) {
246 return base::unexpected(entry_offset.error());
247 }
248 return GetEntryFromOffset(type_chunk, entry_offset.value());
249 }
250
GetEntryOffset(incfs::verified_map_ptr<ResTable_type> type_chunk,uint16_t entry_index)251 base::expected<uint32_t, NullOrIOError> LoadedPackage::GetEntryOffset(
252 incfs::verified_map_ptr<ResTable_type> type_chunk, uint16_t entry_index) {
253 // The configuration matches and is better than the previous selection.
254 // Find the entry value if it exists for this configuration.
255 const size_t entry_count = dtohl(type_chunk->entryCount);
256 const auto offsets = type_chunk.offset(dtohs(type_chunk->header.headerSize));
257
258 // Check if there is the desired entry in this type.
259 if (type_chunk->flags & ResTable_type::FLAG_SPARSE) {
260 // This is encoded as a sparse map, so perform a binary search.
261 bool error = false;
262 auto sparse_indices = offsets.convert<ResTable_sparseTypeEntry>().iterator();
263 auto sparse_indices_end = sparse_indices + entry_count;
264 auto result = std::lower_bound(sparse_indices, sparse_indices_end, entry_index,
265 [&error](const incfs::map_ptr<ResTable_sparseTypeEntry>& entry,
266 uint16_t entry_idx) {
267 if (UNLIKELY(!entry)) {
268 return error = true;
269 }
270 return dtohs(entry->idx) < entry_idx;
271 });
272
273 if (result == sparse_indices_end) {
274 // No entry found.
275 return base::unexpected(std::nullopt);
276 }
277
278 const incfs::verified_map_ptr<ResTable_sparseTypeEntry> entry = (*result).verified();
279 if (dtohs(entry->idx) != entry_index) {
280 if (error) {
281 return base::unexpected(IOError::PAGES_MISSING);
282 }
283 return base::unexpected(std::nullopt);
284 }
285
286 // Extract the offset from the entry. Each offset must be a multiple of 4 so we store it as
287 // the real offset divided by 4.
288 return uint32_t{dtohs(entry->offset)} * 4u;
289 }
290
291 // This type is encoded as a dense array.
292 if (entry_index >= entry_count) {
293 // This entry cannot be here.
294 return base::unexpected(std::nullopt);
295 }
296
297 uint32_t result;
298
299 if (type_chunk->flags & ResTable_type::FLAG_OFFSET16) {
300 const auto entry_offset_ptr = offsets.convert<uint16_t>() + entry_index;
301 if (UNLIKELY(!entry_offset_ptr)) {
302 return base::unexpected(IOError::PAGES_MISSING);
303 }
304 result = offset_from16(entry_offset_ptr.value());
305 } else {
306 const auto entry_offset_ptr = offsets.convert<uint32_t>() + entry_index;
307 if (UNLIKELY(!entry_offset_ptr)) {
308 return base::unexpected(IOError::PAGES_MISSING);
309 }
310 result = dtohl(entry_offset_ptr.value());
311 }
312
313 if (result == ResTable_type::NO_ENTRY) {
314 return base::unexpected(std::nullopt);
315 }
316 return result;
317 }
318
319 base::expected<incfs::verified_map_ptr<ResTable_entry>, NullOrIOError>
GetEntryFromOffset(incfs::verified_map_ptr<ResTable_type> type_chunk,uint32_t offset)320 LoadedPackage::GetEntryFromOffset(incfs::verified_map_ptr<ResTable_type> type_chunk,
321 uint32_t offset) {
322 auto valid = VerifyResTableEntry(type_chunk, offset);
323 if (UNLIKELY(!valid.has_value())) {
324 return base::unexpected(valid.error());
325 }
326 return valid;
327 }
328
CollectConfigurations(bool exclude_mipmap,std::set<ResTable_config> * out_configs) const329 base::expected<std::monostate, IOError> LoadedPackage::CollectConfigurations(
330 bool exclude_mipmap, std::set<ResTable_config>* out_configs) const {
331 for (const auto& type_spec : type_specs_) {
332 if (exclude_mipmap) {
333 const int type_idx = type_spec.first - 1;
334 const auto type_name16 = type_string_pool_.stringAt(type_idx);
335 if (UNLIKELY(IsIOError(type_name16))) {
336 return base::unexpected(GetIOError(type_name16.error()));
337 }
338 if (type_name16.has_value()) {
339 if (strncmp16(type_name16->data(), u"mipmap", type_name16->size()) == 0) {
340 // This is a mipmap type, skip collection.
341 continue;
342 }
343 }
344
345 const auto type_name = type_string_pool_.string8At(type_idx);
346 if (UNLIKELY(IsIOError(type_name))) {
347 return base::unexpected(GetIOError(type_name.error()));
348 }
349 if (type_name.has_value()) {
350 if (strncmp(type_name->data(), "mipmap", type_name->size()) == 0) {
351 // This is a mipmap type, skip collection.
352 continue;
353 }
354 }
355 }
356
357 for (const auto& type_entry : type_spec.second.type_entries) {
358 out_configs->insert(type_entry.config);
359 }
360 }
361 return {};
362 }
363
CollectLocales(bool canonicalize,Locales * out_locales) const364 void LoadedPackage::CollectLocales(bool canonicalize,
365 Locales* out_locales) const {
366 for (const auto& type_spec : type_specs_) {
367 for (const auto& type_entry : type_spec.second.type_entries) {
368 if (type_entry.config.locale != 0) {
369 char temp_locale[RESTABLE_MAX_LOCALE_LEN];
370 type_entry.config.getBcp47Locale(temp_locale, canonicalize);
371 auto locale_sv = std::string_view(temp_locale);
372 if (auto it = out_locales->lower_bound(locale_sv);
373 it == out_locales->end() || *it != locale_sv) {
374 out_locales->emplace_hint(it, locale_sv);
375 }
376 }
377 }
378 }
379 }
380
FindEntryByName(const std::u16string & type_name,const std::u16string & entry_name) const381 base::expected<uint32_t, NullOrIOError> LoadedPackage::FindEntryByName(
382 const std::u16string& type_name, const std::u16string& entry_name) const {
383 const base::expected<size_t, NullOrIOError> type_idx = type_string_pool_.indexOfString(
384 type_name.data(), type_name.size());
385 if (!type_idx.has_value()) {
386 return base::unexpected(type_idx.error());
387 }
388
389 const base::expected<size_t, NullOrIOError> key_idx = key_string_pool_.indexOfString(
390 entry_name.data(), entry_name.size());
391 if (!key_idx.has_value()) {
392 return base::unexpected(key_idx.error());
393 }
394
395 const TypeSpec* type_spec = GetTypeSpecByTypeIndex(*type_idx);
396 if (type_spec == nullptr) {
397 return base::unexpected(std::nullopt);
398 }
399
400 for (const auto& type_entry : type_spec->type_entries) {
401 const incfs::verified_map_ptr<ResTable_type>& type = type_entry.type;
402
403 const size_t entry_count = dtohl(type->entryCount);
404 const auto entry_offsets = type.offset(dtohs(type->header.headerSize));
405
406 for (size_t entry_idx = 0; entry_idx < entry_count; entry_idx++) {
407 uint32_t offset;
408 uint16_t res_idx;
409 if (type->flags & ResTable_type::FLAG_SPARSE) {
410 auto sparse_entry = entry_offsets.convert<ResTable_sparseTypeEntry>() + entry_idx;
411 if (!sparse_entry) {
412 return base::unexpected(IOError::PAGES_MISSING);
413 }
414 offset = dtohs(sparse_entry->offset) * 4u;
415 res_idx = dtohs(sparse_entry->idx);
416 } else if (type->flags & ResTable_type::FLAG_OFFSET16) {
417 auto entry = entry_offsets.convert<uint16_t>() + entry_idx;
418 if (!entry) {
419 return base::unexpected(IOError::PAGES_MISSING);
420 }
421 offset = offset_from16(entry.value());
422 res_idx = entry_idx;
423 } else {
424 auto entry = entry_offsets.convert<uint32_t>() + entry_idx;
425 if (!entry) {
426 return base::unexpected(IOError::PAGES_MISSING);
427 }
428 offset = dtohl(entry.value());
429 res_idx = entry_idx;
430 }
431
432 if (offset != ResTable_type::NO_ENTRY) {
433 auto entry = type.offset(dtohl(type->entriesStart) + offset).convert<ResTable_entry>();
434 if (!entry) {
435 return base::unexpected(IOError::PAGES_MISSING);
436 }
437
438 if (entry->key() == static_cast<uint32_t>(*key_idx)) {
439 // The package ID will be overridden by the caller (due to runtime assignment of package
440 // IDs for shared libraries).
441 return make_resid(0x00, *type_idx + type_id_offset_ + 1, res_idx);
442 }
443 }
444 }
445 }
446 return base::unexpected(std::nullopt);
447 }
448
GetPackageById(uint8_t package_id) const449 const LoadedPackage* LoadedArsc::GetPackageById(uint8_t package_id) const {
450 for (const auto& loaded_package : packages_) {
451 if (loaded_package->GetPackageId() == package_id) {
452 return loaded_package.get();
453 }
454 }
455 return nullptr;
456 }
457
Load(const Chunk & chunk,package_property_t property_flags)458 std::unique_ptr<const LoadedPackage> LoadedPackage::Load(const Chunk& chunk,
459 package_property_t property_flags) {
460 ATRACE_NAME("LoadedPackage::Load");
461 const bool optimize_name_lookups = (property_flags & PROPERTY_OPTIMIZE_NAME_LOOKUPS) != 0;
462 std::unique_ptr<LoadedPackage> loaded_package(new LoadedPackage(optimize_name_lookups));
463
464 // typeIdOffset was added at some point, but we still must recognize apps built before this
465 // was added.
466 constexpr size_t kMinPackageSize =
467 sizeof(ResTable_package) - sizeof(ResTable_package::typeIdOffset);
468 const incfs::map_ptr<ResTable_package> header = chunk.header<ResTable_package, kMinPackageSize>();
469 if (!header) {
470 LOG(ERROR) << "RES_TABLE_PACKAGE_TYPE too small.";
471 return {};
472 }
473
474 if ((property_flags & PROPERTY_SYSTEM) != 0) {
475 loaded_package->property_flags_ |= PROPERTY_SYSTEM;
476 }
477
478 if ((property_flags & PROPERTY_LOADER) != 0) {
479 loaded_package->property_flags_ |= PROPERTY_LOADER;
480 }
481
482 if ((property_flags & PROPERTY_OVERLAY) != 0) {
483 // Overlay resources must have an exclusive resource id space for referencing internal
484 // resources.
485 loaded_package->property_flags_ |= PROPERTY_OVERLAY | PROPERTY_DYNAMIC;
486 }
487
488 loaded_package->package_id_ = dtohl(header->id);
489 if (loaded_package->package_id_ == 0 ||
490 (loaded_package->package_id_ == kAppPackageId && (property_flags & PROPERTY_DYNAMIC) != 0)) {
491 loaded_package->property_flags_ |= PROPERTY_DYNAMIC;
492 }
493
494 if (header->header.headerSize >= sizeof(ResTable_package)) {
495 uint32_t type_id_offset = dtohl(header->typeIdOffset);
496 if (type_id_offset > std::numeric_limits<uint8_t>::max()) {
497 LOG(ERROR) << "RES_TABLE_PACKAGE_TYPE type ID offset too large.";
498 return {};
499 }
500 loaded_package->type_id_offset_ = static_cast<int>(type_id_offset);
501 }
502
503 util::ReadUtf16StringFromDevice(header->name, arraysize(header->name),
504 &loaded_package->package_name_);
505
506 const bool only_overlayable = (property_flags & PROPERTY_ONLY_OVERLAYABLES) != 0;
507
508 // A map of TypeSpec builders, each associated with an type index.
509 // We use these to accumulate the set of Types available for a TypeSpec, and later build a single,
510 // contiguous block of memory that holds all the Types together with the TypeSpec.
511 std::unordered_map<int, std::optional<TypeSpecBuilder>> type_builder_map;
512
513 ChunkIterator iter(chunk.data_ptr(), chunk.data_size());
514 while (iter.HasNext()) {
515 const Chunk child_chunk = iter.Next();
516 if (only_overlayable && child_chunk.type() != RES_TABLE_OVERLAYABLE_TYPE) {
517 continue;
518 }
519 switch (child_chunk.type()) {
520 case RES_STRING_POOL_TYPE: {
521 const auto pool_address = child_chunk.header<ResChunk_header>();
522 if (!pool_address) {
523 LOG(ERROR) << "RES_STRING_POOL_TYPE is incomplete due to incremental installation.";
524 return {};
525 }
526
527 if (pool_address == header.offset(dtohl(header->typeStrings)).convert<ResChunk_header>()) {
528 // This string pool is the type string pool.
529 status_t err = loaded_package->type_string_pool_.setTo(
530 child_chunk.header<ResStringPool_header>(), child_chunk.size());
531 if (err != NO_ERROR) {
532 LOG(ERROR) << "RES_STRING_POOL_TYPE for types corrupt.";
533 return {};
534 }
535 } else if (pool_address == header.offset(dtohl(header->keyStrings))
536 .convert<ResChunk_header>()) {
537 // This string pool is the key string pool.
538 status_t err = loaded_package->key_string_pool_.setTo(
539 child_chunk.header<ResStringPool_header>(), child_chunk.size());
540 if (err != NO_ERROR) {
541 LOG(ERROR) << "RES_STRING_POOL_TYPE for keys corrupt.";
542 return {};
543 }
544 } else {
545 LOG(WARNING) << "Too many RES_STRING_POOL_TYPEs found in RES_TABLE_PACKAGE_TYPE.";
546 }
547 } break;
548
549 case RES_TABLE_TYPE_SPEC_TYPE: {
550 const auto type_spec = child_chunk.header<ResTable_typeSpec>();
551 if (!type_spec) {
552 LOG(ERROR) << "RES_TABLE_TYPE_SPEC_TYPE too small.";
553 return {};
554 }
555
556 if (type_spec->id == 0) {
557 LOG(ERROR) << "RES_TABLE_TYPE_SPEC_TYPE has invalid ID 0.";
558 return {};
559 }
560
561 if (loaded_package->type_id_offset_ + static_cast<int>(type_spec->id) >
562 std::numeric_limits<uint8_t>::max()) {
563 LOG(ERROR) << "RES_TABLE_TYPE_SPEC_TYPE has out of range ID.";
564 return {};
565 }
566
567 // The data portion of this chunk contains entry_count 32bit entries,
568 // each one representing a set of flags.
569 // Here we only validate that the chunk is well formed.
570 const size_t entry_count = dtohl(type_spec->entryCount);
571
572 // There can only be 2^16 entries in a type, because that is the ID
573 // space for entries (EEEE) in the resource ID 0xPPTTEEEE.
574 if (entry_count > std::numeric_limits<uint16_t>::max()) {
575 LOG(ERROR) << "RES_TABLE_TYPE_SPEC_TYPE has too many entries (" << entry_count << ").";
576 return {};
577 }
578
579 if (entry_count * sizeof(uint32_t) > child_chunk.data_size()) {
580 LOG(ERROR) << "RES_TABLE_TYPE_SPEC_TYPE too small to hold entries.";
581 return {};
582 }
583
584 auto& maybe_type_builder = type_builder_map[type_spec->id];
585 if (!maybe_type_builder) {
586 maybe_type_builder.emplace(type_spec.verified());
587 loaded_package->resource_ids_.set(type_spec->id, entry_count);
588 } else {
589 LOG(WARNING) << StringPrintf("RES_TABLE_TYPE_SPEC_TYPE already defined for ID %02x",
590 type_spec->id);
591 }
592 } break;
593
594 case RES_TABLE_TYPE_TYPE: {
595 const auto type = child_chunk.header<ResTable_type, kResTableTypeMinSize>();
596 if (!type) {
597 LOG(ERROR) << "RES_TABLE_TYPE_TYPE too small.";
598 return {};
599 }
600
601 if (!VerifyResTableType(type)) {
602 return {};
603 }
604
605 // Type chunks must be preceded by their TypeSpec chunks.
606 auto& maybe_type_builder = type_builder_map[type->id];
607 if (maybe_type_builder) {
608 maybe_type_builder->AddType(type.verified());
609 } else {
610 LOG(ERROR) << StringPrintf(
611 "RES_TABLE_TYPE_TYPE with ID %02x found without preceding RES_TABLE_TYPE_SPEC_TYPE.",
612 type->id);
613 return {};
614 }
615 } break;
616
617 case RES_TABLE_LIBRARY_TYPE: {
618 const auto lib = child_chunk.header<ResTable_lib_header>();
619 if (!lib) {
620 LOG(ERROR) << "RES_TABLE_LIBRARY_TYPE too small.";
621 return {};
622 }
623
624 if (child_chunk.data_size() / sizeof(ResTable_lib_entry) < dtohl(lib->count)) {
625 LOG(ERROR) << "RES_TABLE_LIBRARY_TYPE too small to hold entries.";
626 return {};
627 }
628
629 loaded_package->dynamic_package_map_.reserve(dtohl(lib->count));
630
631 const auto entry_begin = child_chunk.data_ptr().convert<ResTable_lib_entry>();
632 const auto entry_end = entry_begin + dtohl(lib->count);
633 for (auto entry_iter = entry_begin; entry_iter != entry_end; ++entry_iter) {
634 if (!entry_iter) {
635 return {};
636 }
637
638 std::string package_name;
639 util::ReadUtf16StringFromDevice(entry_iter->packageName,
640 arraysize(entry_iter->packageName), &package_name);
641
642 if (dtohl(entry_iter->packageId) >= std::numeric_limits<uint8_t>::max()) {
643 LOG(ERROR) << StringPrintf(
644 "Package ID %02x in RES_TABLE_LIBRARY_TYPE too large for package '%s'.",
645 dtohl(entry_iter->packageId), package_name.c_str());
646 return {};
647 }
648
649 loaded_package->dynamic_package_map_.emplace_back(std::move(package_name),
650 dtohl(entry_iter->packageId));
651 }
652 } break;
653
654 case RES_TABLE_OVERLAYABLE_TYPE: {
655 const auto overlayable = child_chunk.header<ResTable_overlayable_header>();
656 if (!overlayable) {
657 LOG(ERROR) << "RES_TABLE_OVERLAYABLE_TYPE too small.";
658 return {};
659 }
660
661 std::string name;
662 util::ReadUtf16StringFromDevice(overlayable->name, std::size(overlayable->name), &name);
663 std::string actor;
664 util::ReadUtf16StringFromDevice(overlayable->actor, std::size(overlayable->actor), &actor);
665 auto [name_to_actor_it, inserted] =
666 loaded_package->overlayable_map_.emplace(std::move(name), std::move(actor));
667 if (!inserted) {
668 LOG(ERROR) << "Multiple <overlayable> blocks with the same name '"
669 << name_to_actor_it->first << "'.";
670 return {};
671 }
672 if (only_overlayable) {
673 break;
674 }
675
676 // Iterate over the overlayable policy chunks contained within the overlayable chunk data
677 ChunkIterator overlayable_iter(child_chunk.data_ptr(), child_chunk.data_size());
678 while (overlayable_iter.HasNext()) {
679 const Chunk overlayable_child_chunk = overlayable_iter.Next();
680
681 switch (overlayable_child_chunk.type()) {
682 case RES_TABLE_OVERLAYABLE_POLICY_TYPE: {
683 const auto policy_header =
684 overlayable_child_chunk.header<ResTable_overlayable_policy_header>();
685 if (!policy_header) {
686 LOG(ERROR) << "RES_TABLE_OVERLAYABLE_POLICY_TYPE too small.";
687 return {};
688 }
689 if ((overlayable_child_chunk.data_size() / sizeof(ResTable_ref))
690 < dtohl(policy_header->entry_count)) {
691 LOG(ERROR) << "RES_TABLE_OVERLAYABLE_POLICY_TYPE too small to hold entries.";
692 return {};
693 }
694
695 // Retrieve all the resource ids belonging to this policy chunk
696 const auto ids_begin = overlayable_child_chunk.data_ptr().convert<ResTable_ref>();
697 const auto ids_end = ids_begin + dtohl(policy_header->entry_count);
698 std::unordered_set<uint32_t> ids;
699 ids.reserve(ids_end - ids_begin);
700 for (auto id_iter = ids_begin; id_iter != ids_end; ++id_iter) {
701 if (!id_iter) {
702 LOG(ERROR) << "NULL ResTable_ref record??";
703 return {};
704 }
705 ids.insert(dtohl(id_iter->ident));
706 }
707
708 // Add the pairing of overlayable properties and resource ids to the package
709 OverlayableInfo overlayable_info {
710 .name = name_to_actor_it->first,
711 .actor = name_to_actor_it->second,
712 .policy_flags = policy_header->policy_flags
713 };
714 loaded_package->overlayable_infos_.emplace_back(std::move(overlayable_info), std::move(ids));
715 loaded_package->defines_overlayable_ = true;
716 break;
717 }
718
719 default:
720 LOG(WARNING) << StringPrintf("Unknown chunk type '%02x'.", chunk.type());
721 break;
722 }
723 }
724
725 if (overlayable_iter.HadError()) {
726 LOG(ERROR) << StringPrintf("Error parsing RES_TABLE_OVERLAYABLE_TYPE: %s",
727 overlayable_iter.GetLastError().c_str());
728 if (overlayable_iter.HadFatalError()) {
729 return {};
730 }
731 }
732 } break;
733
734 case RES_TABLE_STAGED_ALIAS_TYPE: {
735 if (loaded_package->package_id_ != kFrameworkPackageId) {
736 LOG(WARNING) << "Alias chunk ignored for non-framework package '"
737 << loaded_package->package_name_ << "'";
738 break;
739 }
740
741 const auto lib_alias = child_chunk.header<ResTable_staged_alias_header>();
742 if (!lib_alias) {
743 LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small.";
744 return {};
745 }
746 if ((child_chunk.data_size() / sizeof(ResTable_staged_alias_entry))
747 < dtohl(lib_alias->count)) {
748 LOG(ERROR) << "RES_TABLE_STAGED_ALIAS_TYPE is too small to hold entries.";
749 return {};
750 }
751 const auto entry_begin = child_chunk.data_ptr().convert<ResTable_staged_alias_entry>();
752 const auto entry_end = entry_begin + dtohl(lib_alias->count);
753 std::unordered_set<uint32_t> finalized_ids;
754 finalized_ids.reserve(entry_end - entry_begin);
755 loaded_package->alias_id_map_.reserve(entry_end - entry_begin);
756 for (auto entry_iter = entry_begin; entry_iter != entry_end; ++entry_iter) {
757 if (!entry_iter) {
758 LOG(ERROR) << "NULL ResTable_staged_alias_entry record??";
759 return {};
760 }
761 auto finalized_id = dtohl(entry_iter->finalizedResId);
762 if (!finalized_ids.insert(finalized_id).second) {
763 LOG(ERROR) << StringPrintf("Repeated finalized resource id '%08x' in staged aliases.",
764 finalized_id);
765 return {};
766 }
767
768 auto staged_id = dtohl(entry_iter->stagedResId);
769 loaded_package->alias_id_map_.emplace_back(staged_id, finalized_id);
770 }
771
772 std::sort(loaded_package->alias_id_map_.begin(), loaded_package->alias_id_map_.end(),
773 [](auto&& l, auto&& r) { return l.first < r.first; });
774 const auto duplicate_it =
775 std::adjacent_find(loaded_package->alias_id_map_.begin(),
776 loaded_package->alias_id_map_.end(),
777 [](auto&& l, auto&& r) { return l.first == r.first; });
778 if (duplicate_it != loaded_package->alias_id_map_.end()) {
779 LOG(ERROR) << StringPrintf("Repeated staged resource id '%08x' in staged aliases.",
780 duplicate_it->first);
781 return {};
782 }
783 } break;
784
785 default:
786 LOG(WARNING) << StringPrintf("Unknown chunk type '%02x'.", chunk.type());
787 break;
788 }
789 }
790
791 if (iter.HadError()) {
792 LOG(ERROR) << iter.GetLastError();
793 if (iter.HadFatalError()) {
794 return {};
795 }
796 }
797
798 // Flatten and construct the TypeSpecs.
799 for (auto& entry : type_builder_map) {
800 TypeSpec type_spec = entry.second->Build();
801 uint8_t type_id = static_cast<uint8_t>(entry.first);
802 loaded_package->type_specs_[type_id] = std::move(type_spec);
803 }
804
805 return std::move(loaded_package);
806 }
807
LoadTable(const Chunk & chunk,const LoadedIdmap * loaded_idmap,package_property_t property_flags)808 bool LoadedArsc::LoadTable(const Chunk& chunk, const LoadedIdmap* loaded_idmap,
809 package_property_t property_flags) {
810 incfs::map_ptr<ResTable_header> header = chunk.header<ResTable_header>();
811 if (!header) {
812 LOG(ERROR) << "RES_TABLE_TYPE too small.";
813 return false;
814 }
815
816 if (loaded_idmap != nullptr) {
817 global_string_pool_ = util::make_unique<OverlayStringPool>(loaded_idmap);
818 }
819
820 const bool only_overlayable = (property_flags & PROPERTY_ONLY_OVERLAYABLES) != 0;
821
822 const size_t package_count = dtohl(header->packageCount);
823 size_t packages_seen = 0;
824
825 if (!only_overlayable) {
826 packages_.reserve(package_count);
827 }
828
829 ChunkIterator iter(chunk.data_ptr(), chunk.data_size());
830 while (iter.HasNext()) {
831 const Chunk child_chunk = iter.Next();
832 if (only_overlayable && child_chunk.type() != RES_TABLE_PACKAGE_TYPE) {
833 continue;
834 }
835 switch (child_chunk.type()) {
836 case RES_STRING_POOL_TYPE:
837 // Only use the first string pool. Ignore others.
838 if (global_string_pool_->getError() == NO_INIT) {
839 status_t err = global_string_pool_->setTo(child_chunk.header<ResStringPool_header>(),
840 child_chunk.size());
841 if (err != NO_ERROR) {
842 LOG(ERROR) << "RES_STRING_POOL_TYPE corrupt.";
843 return false;
844 }
845 } else {
846 LOG(WARNING) << "Multiple RES_STRING_POOL_TYPEs found in RES_TABLE_TYPE.";
847 }
848 break;
849
850 case RES_TABLE_PACKAGE_TYPE: {
851 if (packages_seen + 1 > package_count) {
852 LOG(ERROR) << "More package chunks were found than the " << package_count
853 << " declared in the header.";
854 return false;
855 }
856 packages_seen++;
857
858 std::unique_ptr<const LoadedPackage> loaded_package =
859 LoadedPackage::Load(child_chunk, property_flags);
860 if (!loaded_package) {
861 return false;
862 }
863 packages_.push_back(std::move(loaded_package));
864 if (only_overlayable) {
865 // Overlayable is always in the first package, no need to process anything else.
866 return true;
867 }
868 } break;
869
870 default:
871 LOG(WARNING) << StringPrintf("Unknown chunk type '%02x'.", chunk.type());
872 break;
873 }
874 }
875
876 if (iter.HadError()) {
877 LOG(ERROR) << iter.GetLastError();
878 if (iter.HadFatalError()) {
879 return false;
880 }
881 }
882 return true;
883 }
884
LoadStringPool(const LoadedIdmap * loaded_idmap)885 bool LoadedArsc::LoadStringPool(const LoadedIdmap* loaded_idmap) {
886 if (loaded_idmap != nullptr) {
887 global_string_pool_ = util::make_unique<OverlayStringPool>(loaded_idmap);
888 }
889 return true;
890 }
891
Load(incfs::map_ptr<void> data,const size_t length,const LoadedIdmap * loaded_idmap,const package_property_t property_flags)892 std::unique_ptr<LoadedArsc> LoadedArsc::Load(incfs::map_ptr<void> data,
893 const size_t length,
894 const LoadedIdmap* loaded_idmap,
895 const package_property_t property_flags) {
896 ATRACE_NAME("LoadedArsc::Load");
897
898 // Not using make_unique because the constructor is private.
899 std::unique_ptr<LoadedArsc> loaded_arsc(new LoadedArsc());
900
901 ChunkIterator iter(data, length);
902 while (iter.HasNext()) {
903 const Chunk chunk = iter.Next();
904 switch (chunk.type()) {
905 case RES_TABLE_TYPE:
906 if (!loaded_arsc->LoadTable(chunk, loaded_idmap, property_flags)) {
907 return {};
908 }
909 break;
910
911 default:
912 LOG(WARNING) << StringPrintf("Unknown chunk type '%02x'.", chunk.type());
913 break;
914 }
915 }
916
917 if (iter.HadError()) {
918 LOG(ERROR) << iter.GetLastError();
919 if (iter.HadFatalError()) {
920 return {};
921 }
922 }
923
924 return loaded_arsc;
925 }
926
Load(const LoadedIdmap * loaded_idmap)927 std::unique_ptr<LoadedArsc> LoadedArsc::Load(const LoadedIdmap* loaded_idmap) {
928 ATRACE_NAME("LoadedArsc::Load");
929
930 // Not using make_unique because the constructor is private.
931 std::unique_ptr<LoadedArsc> loaded_arsc(new LoadedArsc());
932 loaded_arsc->LoadStringPool(loaded_idmap);
933 return loaded_arsc;
934 }
935
936
CreateEmpty()937 std::unique_ptr<LoadedArsc> LoadedArsc::CreateEmpty() {
938 return std::unique_ptr<LoadedArsc>(new LoadedArsc());
939 }
940
941 } // namespace android
942