Gracefully handle malformed array payload instructions with element width=0

These get handled as if they had element width=1 and element count=0
2025-05-28 20:00:13 +02:00 · 2019-08-23 14:04:40 -07:00 · 2019-08-23 14:04:40 -07:00 · bdbea44b98
commit bdbea44b98
parent 225a00c768
5 changed files with 94 additions and 18 deletions
--- a/baksmali/src/test/java/org/jf/baksmali/ZeroArrayPayloadWidthTest.java
+++ b/baksmali/src/test/java/org/jf/baksmali/ZeroArrayPayloadWidthTest.java
@ -0,0 +1,44 @@
+/*
+ * Copyright 2019, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package org.jf.baksmali;
+
+import org.junit.Test;
+
+public class ZeroArrayPayloadWidthTest extends DisassemblyTest {
+
+    @Test
+    public void testZeroArrayPayloadWidthTest() {
+        // This test uses a manually modified dex file with an array-payload instruction that has an element size of 0,
+        // and an element count that doesn't fit in an unsigned int.
+        runTest("ZeroArrayPayloadWidthTest");
+    }
+}
--- a/baksmali/src/test/resources/ZeroArrayPayloadWidthTest/ZeroArrayPayloadWidthTestInput.dex
+++ b/baksmali/src/test/resources/ZeroArrayPayloadWidthTest/ZeroArrayPayloadWidthTestInput.dex
--- a/baksmali/src/test/resources/ZeroArrayPayloadWidthTest/ZeroArrayPayloadWidthTestOutput.smali
+++ b/baksmali/src/test/resources/ZeroArrayPayloadWidthTest/ZeroArrayPayloadWidthTestOutput.smali
@ -0,0 +1,15 @@
+.class public LZeroArrayPayloadWidthTest;
+.super Ljava/lang/Object;
+
+
+# virtual methods
+.method public zeroWidth()V
+    .registers 3
+
+    return-void
+
+    nop
+
+    .array-data 1
+    .end array-data
+.end method
--- a/dexlib2/src/main/java/org/jf/dexlib2/dexbacked/instruction/DexBackedArrayPayload.java
+++ b/dexlib2/src/main/java/org/jf/dexlib2/dexbacked/instruction/DexBackedArrayPayload.java
@ -31,6 +31,7 @@

 package org.jf.dexlib2.dexbacked.instruction;

+import com.google.common.collect.ImmutableList;
 import org.jf.dexlib2.Opcode;
 import org.jf.dexlib2.dexbacked.DexBackedDexFile;
 import org.jf.dexlib2.dexbacked.util.FixedSizeList;
@ -54,10 +55,18 @@ public class DexBackedArrayPayload extends DexBackedInstruction implements Array
                                 int instructionStart) {
        super(dexFile, OPCODE, instructionStart);

-        elementWidth = dexFile.getDataBuffer().readUshort(instructionStart + ELEMENT_WIDTH_OFFSET);
-        elementCount = dexFile.getDataBuffer().readSmallUint(instructionStart + ELEMENT_COUNT_OFFSET);
-        if (((long)elementWidth) * elementCount > Integer.MAX_VALUE) {
-            throw new ExceptionWithContext("Invalid array-payload instruction: element width*count overflows");
+        int localElementWidth = dexFile.getDataBuffer().readUshort(instructionStart + ELEMENT_WIDTH_OFFSET);
+
+        if (localElementWidth == 0) {
+            elementWidth = 1;
+            elementCount = 0;
+        } else {
+            elementWidth = localElementWidth;
+
+            elementCount = dexFile.getDataBuffer().readSmallUint(instructionStart + ELEMENT_COUNT_OFFSET);
+            if (((long) elementWidth) * elementCount > Integer.MAX_VALUE) {
+                throw new ExceptionWithContext("Invalid array-payload instruction: element width*count overflows");
+            }
        }
    }

@ -72,6 +81,10 @@ public class DexBackedArrayPayload extends DexBackedInstruction implements Array
            @Override public int size() { return elementCount; }
        }

+        if (elementCount == 0) {
+            return ImmutableList.of();
+        }
+
        switch (elementWidth) {
            case 1:
                return new ReturnedList() {
--- a/dexlib2/src/main/java/org/jf/dexlib2/dexbacked/raw/CodeItem.java
+++ b/dexlib2/src/main/java/org/jf/dexlib2/dexbacked/raw/CodeItem.java
@ -540,22 +540,26 @@ public class CodeItem {
            out.indent();
            out.annotate(2, "element_width = %d", elementWidth);
            out.annotate(4, "size = %d", elements.size());
-            out.annotate(0, "elements:");
+            if (elements.size() > 0) {
+                out.annotate(0, "elements:");
+            }
            out.indent();
-            for (int i=0; i<elements.size(); i++) {
-                if (elementWidth == 8) {
-                    long value = elements.get(i).longValue();
-                    if (NumberUtils.isLikelyDouble(value)) {
-                        out.annotate(elementWidth, "element[%d] = %d # %f", i, value, Double.longBitsToDouble(value));
+            if (elements.size() > 0) {
+                for (int i = 0; i < elements.size(); i++) {
+                    if (elementWidth == 8) {
+                        long value = elements.get(i).longValue();
+                        if (NumberUtils.isLikelyDouble(value)) {
+                            out.annotate(elementWidth, "element[%d] = %d # %f", i, value, Double.longBitsToDouble(value));
+                        } else {
+                            out.annotate(elementWidth, "element[%d] = %d", i, value);
+                        }
                    } else {
-                        out.annotate(elementWidth, "element[%d] = %d", i, value);
-                    }
-                } else {
-                    int value = elements.get(i).intValue();
-                    if (NumberUtils.isLikelyFloat(value)) {
-                        out.annotate(elementWidth, "element[%d] = %d # %f", i, value, Float.intBitsToFloat(value));
-                    } else {
-                        out.annotate(elementWidth, "element[%d] = %d", i, value);
+                        int value = elements.get(i).intValue();
+                        if (NumberUtils.isLikelyFloat(value)) {
+                            out.annotate(elementWidth, "element[%d] = %d # %f", i, value, Float.intBitsToFloat(value));
+                        } else {
+                            out.annotate(elementWidth, "element[%d] = %d", i, value);
+                        }
                    }
                }
            }