const-string ushort overflow for string item (#316499) · Issues · asm / asmdex

const-string ushort overflow for string item

I was trying to instrument a huge DEX with more than 0xFFFF string items.
What happened is that the symbolicIndex reached values over the 65536 limit for 
values whose original string index is supposed to fit in a ushort.
This causes an overflow of the ushort value when writing a const-string 
instruction.

###################################################################

org.ow2.asmdex.structureWriter.ConstantPool:addStringToConstantPool

    public void addStringToConstantPool(String string) {
        if (string != null) {
            if (useSymbolicElements) {
                if (!symbolicStringsToIndexes.containsKey(string)) {
-->                 symbolicStringsToIndexes.put(string, 
symbolicStringsToIndexes.size());
                }
            } 
            strings.add(string);
        }
    }

The symbolic index can exceed 0xFFFF

##################################################################

org.ow2.asmdex.instruction.InstructionFormat21C:write

    public void write(ByteVector out, ConstantPool constantPool) {
        test8BitsLimit(registerA);
        // The format is AA|op BBBB.
        out.putShort(((registerA & 0xff) << 8) + opcodeByte);
        // The index may be a Type, or a String index.
        int index;
        if (opcodeByte == 0x1a) {
-->         index = constantPool.getStringIndex(stringOrType);
        } else if ((opcodeByte == 0x1c) || (opcodeByte == 0x1f) || (opcodeByte 
== 0x22)) {
            index = constantPool.getTypeIndex(stringOrType);
        } else { // 0x60...0x6d
            index = constantPool.getFieldIndex(field);
        }
-->     out.putShort(index);
    }

symbolicIndex is read and written as a ushort (even if it does not fit)

##################################################################

org.ow2.asmdex.lowLevelUtils.ByteVector:putShort

    public ByteVector putShort(final int s) {
        int length = this.length;
        if (length + 2 > data.length) {
            enlarge(2);
        }
        byte[] data = this.data;
-->     data[length++] = (byte) s;                      // Swapped.
-->     data[length++] = (byte) (s >>> 8);      // Swapped.
        this.length = length;
        return this;
    }

No warnings are raised for the overflow.

```
I was trying to instrument a huge DEX with more than 0xFFFF string items.
What happened is that the symbolicIndex reached values over the 65536 limit for 
values whose original string index is supposed to fit in a ushort.
This causes an overflow of the ushort value when writing a const-string 
instruction.

###################################################################

org.ow2.asmdex.structureWriter.ConstantPool:addStringToConstantPool

public void addStringToConstantPool(String string) {
        if (string != null) {
            if (useSymbolicElements) {
                if (!symbolicStringsToIndexes.containsKey(string)) {
-->                 symbolicStringsToIndexes.put(string, 
symbolicStringsToIndexes.size());
                }
            } 
            strings.add(string);
        }
    }

The symbolic index can exceed 0xFFFF

##################################################################

org.ow2.asmdex.instruction.InstructionFormat21C:write

public void write(ByteVector out, ConstantPool constantPool) {
        test8BitsLimit(registerA);
        // The format is AA|op BBBB.
        out.putShort(((registerA & 0xff) << 8) + opcodeByte);
        // The index may be a Type, or a String index.
        int index;
        if (opcodeByte == 0x1a) {
-->         index = constantPool.getStringIndex(stringOrType);
        } else if ((opcodeByte == 0x1c) || (opcodeByte == 0x1f) || (opcodeByte 
== 0x22)) {
            index = constantPool.getTypeIndex(stringOrType);
        } else { // 0x60...0x6d
            index = constantPool.getFieldIndex(field);
        }
-->     out.putShort(index);
    }

symbolicIndex is read and written as a ushort (even if it does not fit)

##################################################################

org.ow2.asmdex.lowLevelUtils.ByteVector:putShort

public ByteVector putShort(final int s) {
        int length = this.length;
        if (length + 2 > data.length) {
            enlarge(2);
        }
        byte[] data = this.data;
-->     data[length++] = (byte) s;                      // Swapped.
-->     data[length++] = (byte) (s >>> 8);      // Swapped.
        this.length = length;
        return this;
    }

No warnings are raised for the overflow.
```