-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] resources.arsc parsing XML_TYPE_OVERLAY are not correctly read #3030
Comments
Thanks for the tip @jpstotz. I see the mistake - these are not null terminated strings, but fixed length as you mentioned. So I don't think we need to jump/skip and just adjust the string parser for fixed reading. Further more -- I think assuming overlay policy chunk will always follow an overlay spec chunk is probably not right as I'm looking at this code again. |
@iBotPeaches The string reading is already correct they are read as fixed size strings. I think the name is just a bit misleading (at a first glance) for fixed size strings. But even with the two fixed size strings we only cover 512 bytes of the chunk. What about the other more than 500 bytes in the linked example APK? They are all zero in the example APK so based on the data it is not possible to guess what data should be in it. |
@jpstotz - I don't really see anything else in that spec except the header/string/string - https://github.com/aosp-mirror/platform_frameworks_base/blob/master/libs/androidfw/include/androidfw/ResourceTypes.h#L1669 So if you are saying we have 500~ more bytes that are not explained by the two fixed length strings, then I have no idea what they could be. We could read the size (via the header) and skip, but doesn't seem like the safest thing. |
I am not an C expert but the definition At the moment apktool code reads two strings of length 128: So if I am not mistaken based on this definition it should be Unfortunately this still doesn't explain the chunk size, but the chunk header size would match: chunk header size: 1032 bytes = 8 + 512 + 512 8 bytes chunk header + two strings of length 512. Assuming the This structured comprises of
entry_count defines how many In the linked example APK this gives me the values for the ResTable_overlayable_policy_header: A headerSize of 16 bytes exactly matches An entryCount of 2 means additional 8 bytes of data + 16 bytes header size = 24 bytes - again a match. back to the XML_TYPE_OVERLAY chunk: chunk size 1056 bytes = 1032 bytes XML_TYPE_OVERLAY header + 24 byte XML_TYPE_OVERLAY_POLICY chunk Again a match. This seems to be the correct way to decode the XML_TYPE_OVERLAY_POLICY chunk. So in the end you were correct that after parsing the two string an XML_TYPE_OVERLAY_POLICY chunk has to be parsed. Only the string length is wrong. In both cases it needs to be corrected to Edit: There is also another small mistake: Parsing the XML_TYPE_OVERLAY_POLICY structure should not be done in a loop, just once. I have combined the changes in this branch: https://github.com/jpstotz/Apktool/tree/readOverlaySpec If you want I can open a PR. An of course there is the fact that we have nested chunks which is not reflected by apktool. In my opinion the current way of reading chunks, ignoring the chunk size is dangerous. If there is a mistake in parsing a chunk, reading all chunks afterwards will fail. |
Thanks for the details @jpstotz. So I believe in recap:
|
Yes two strings of fixed-length 256 UTF-16 characters.
I have not seen such samples but using the If there is no If there is a So I see only the two valid cases:
Everything else should be invalid. |
I've got a PR up that I believe resolves this all now. Confirmed working with the application you linked.
|
Information
The parsing method readOverlaySpec does not correctly work.
For example in the linked APK there is a
XML_TYPE_OVERLAY
chunk starting at offset 0x280000 with headerSize=1032 bytes and chunkSize=1056 bytes.The current implementation only reads two fixed length UTF-16 strings of length 128 which consumes
128*2*2=512 bytes
.Afterwards it tries to read new chunks but the position is still in the middle of XML_TYPE_OVERLAY chunk which ends up in reading zero bytes and stopping reading the resource table.
But affectively after the first
XML_TYPE_OVERLAY
chunk (with name=AssistedDrivingBrandingResources
) there is a secondXML_TYPE_OVERLAY
chunk (with name=car-ui-lib
).That second chunk (and other possible chunks afterwards) are never read by apktool a sit had already stopped parsing the resource table.
In my understanding readOverlaySpec() should be changed to skip unread header bytes before trying to read the next chunk:
The text was updated successfully, but these errors were encountered: