jiajunpei
commented
4 years ago @anestisb Hi, could you help review this commit?
Closed jiajunpei closed 4 years ago
jiajunpei
commented
4 years ago @anestisb Hi, could you help review this commit?
anestisb
commented
4 years ago But number of methods is u2 so what is the exceed use case? Do you have a sample Dex file that you hit the bug?
jiajunpei
commented
4 years ago @anestisb Hi, what I really mean is that, the method's name id may exceed u2. You can refer to the definition of dexMethodId:
typedef struct __attribute__((packed)) {
u2 classIdx;
u2 protoIdx;
u4 nameIdx; // u4 here
} dexMethodId;nameIdx is the type of u4, for the name resolution:
void dex_dumpMethodInfo(const u1 *dexFileBuf,
dexMethod *pDexMethod,
u4 localIdx,
const char *type) {
const char *methodName = dex_getStringDataByIdx(dexFileBuf, pDexMethodId->nameIdx); // string resolutionAnd definition of function dex_getStringDataByIdx is:
const char *dex_getStringDataByIdx(const u1 *dexFileBuf, u2 idx) { // but it's u2 here
u4 unicode_length;
return dex_getStringDataAndUtf16LengthByIdx(dexFileBuf, idx, &unicode_length);
}The parameter of function dex_getStringDataByIdx is the type of u2.
So during the method name resolution, when calling function dex_getStringDataByIdx, there will be a Implicit conversion from u4 to u2. So if the name idx of a method exceed u2, the result of name resolution will be wrong.
I can't upload the dex file which can hit this bug due to security reasons, sorry for that.
anestisb
commented
4 years ago Gotcha. Yes you're absolutely right. Merging. Thank you for your contribution.
For some cases, name idx may exceed the range of u2, which will lead to a wrong method name resolve.