Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Strings inside xml resource files are truncated #681
Original issue 571 created by jtmuhone on 2013-12-17T11:16:55.000Z:
What is the expected output? What do you see instead?
The JSON strings inside file are truncated. This file ends with '["rot",[[0,0],</string>'. The xml is valid, but the JSON inside the XML is not. If you build the application, there are no errors, but the application does not work.
What version of the product are you using? On what operating system?
Please provide any additional information below.
Comment #4 originally posted by jtmuhone on 2013-12-17T22:29:31.000Z:
Could there be something special with this apk? A new string format? Even the broken string is quite long, ~16000 bytes.
Comment #5 originally posted by connor.tumbleson on 2013-12-17T22:50:06.000Z:
I found tons of strings in the form of
as by aapt
The JSON input is valid according to RFC 4627 (JSON specfication). I ran it through and got it right back. This was pulled directly from that APK. You original report shows a JSON segment with double quotes. Double quotes and strings don't play nice with Android without escaping.
(Note: I haven't had time to do any real device testing yet)
Comment #6 originally posted by jtmuhone on 2013-12-18T12:00:32.000Z:
I found the error.
It seems, that one should put only strings with maximum length of 32767 bytes to resource files, since the StringPool resource length overflows otherwise (https://github.com/android/platform_frameworks_base/blob/master/libs/androidfw/ResourceTypes.cpp, see decodeLength). However one can abuse that, and it works, since resource lengths are actually used only for checking if they are inside the byte array (same file, see ResStringPool::string8At). So the length overflows and return a wrong shorter value, but when android fetches the string, it actually get the original data.
I created a patch, it finds the original c string terminating null character instead of using the length and now it works! It also passes your tests.
I added the patch as an attachment.
Comment #8 originally posted by connor.tumbleson on 2013-12-18T14:43:26.000Z:
Your insight has helped greatly. I found many bugs (ex # 238) that are similar to length being abused. I will investigate this greatly over the weekend and hopefully get some more fixes out.