diff --git a/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLParser.java b/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLParser.java index a66ce2d8a11..203f127e6cc 100644 --- a/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLParser.java +++ b/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLParser.java @@ -265,9 +265,10 @@ private void parseElement() throws IOException { die("startNS's attributeStart is not 0x14"); } int attributeSize = is.readInt16(); - if (attributeSize != 0x14) { - die("startNS's attributeSize is not 0x14"); + if (attributeSize < 0x14) { + die("startNS's attributeSize is less than 0x14"); } + int attributeCount = is.readInt16(); int idIndex = is.readInt16(); int classIndex = is.readInt16(); @@ -289,7 +290,7 @@ private void parseElement() throws IOException { Set attrCache = new HashSet<>(); boolean attrNewLine = attributeCount != 1 && this.attrNewLine; for (int i = 0; i < attributeCount; i++) { - parseAttribute(i, attrNewLine, attrCache); + parseAttribute(i, attrNewLine, attrCache, attributeSize); } long endPos = is.getPos(); if (endPos - startPos + 0x4 < elementSize) { @@ -297,7 +298,7 @@ private void parseElement() throws IOException { } } - private void parseAttribute(int i, boolean newLine, Set attrCache) throws IOException { + private void parseAttribute(int i, boolean newLine, Set attrCache, int attributeSize) throws IOException { int attributeNS = is.readInt32(); int attributeName = is.readInt32(); int attributeRawValue = is.readInt32(); @@ -305,6 +306,8 @@ private void parseAttribute(int i, boolean newLine, Set attrCache) throw int attrValDataType = is.readInt8(); int attrValData = is.readInt32(); + is.skip(attributeSize - 0x14); + String shortNsName = null; if (attributeNS != -1) { shortNsName = getAttributeNS(attributeNS, newLine); diff --git a/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLStrings.java b/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLStrings.java index 7b9effe45b7..a5090f044ff 100644 --- a/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLStrings.java +++ b/jadx-core/src/main/java/jadx/core/xmlgen/BinaryXMLStrings.java @@ -7,6 +7,7 @@ import java.util.Map; public class BinaryXMLStrings { + public static final String INVALID_STRING_PLACEHOLDER = "⟨STRING_DECODE_ERROR⟩"; private final int stringCount; private final long stringsStart; @@ -40,6 +41,10 @@ public String get(int id) { return cached; } + if (id * 4 >= buffer.limit() - 3) { + return INVALID_STRING_PLACEHOLDER; + } + long offset = stringsStart + buffer.getInt(id * 4); String extracted; if (isUtf8) { @@ -63,7 +68,7 @@ public int size() { private static String extractString8(byte[] strArray, int offset) { if (offset >= strArray.length) { - return "STRING_DECODE_ERROR"; + return INVALID_STRING_PLACEHOLDER; } int start = offset + skipStrLen8(strArray, offset); int len = strArray[start++]; @@ -78,6 +83,10 @@ private static String extractString8(byte[] strArray, int offset) { } private static String extractString16(byte[] strArray, int offset) { + if (offset + 2 >= strArray.length) { + return INVALID_STRING_PLACEHOLDER; + } + int len = strArray.length; int start = offset + skipStrLen16(strArray, offset); int end = start;