1 files changed, 13 insertions, 3 deletions

diff --git a/core/java/android/os/incremental/V4Signature.java b/core/java/android/os/incremental/V4Signature.java
index 77d8664a6459..688e3e9d2a67 100644
--- a/core/java/android/os/incremental/V4Signature.java
+++ b/core/java/android/os/incremental/V4Signature.java
@@ -41,6 +41,8 @@ public class V4Signature {
     public static final int HASHING_ALGORITHM_SHA256 = 1;
     public static final byte LOG2_BLOCK_SIZE_4096_BYTES = 12;
 
+    public static final int INCFS_MAX_SIGNATURE_SIZE = 8096;  // incrementalfs.h
+
     /**
      * IncFS hashing data.
      */
@@ -191,8 +193,12 @@ public class V4Signature {
 
     private static V4Signature readFrom(InputStream stream) throws IOException {
         final int version = readIntLE(stream);
-        final byte[] hashingInfo = readBytes(stream);
-        final byte[] signingInfo = readBytes(stream);
+        int maxSize = INCFS_MAX_SIGNATURE_SIZE;
+        final byte[] hashingInfo = readBytes(stream, maxSize);
+        if (hashingInfo != null) {
+            maxSize -= hashingInfo.length;
+        }
+        final byte[] signingInfo = readBytes(stream, maxSize);
         return new V4Signature(version, hashingInfo, signingInfo);
     }
 
@@ -231,9 +237,13 @@ public class V4Signature {
         stream.write(buffer);
     }
 
-    private static byte[] readBytes(InputStream stream) throws IOException {
+    private static byte[] readBytes(InputStream stream, int maxSize) throws IOException {
         try {
             final int size = readIntLE(stream);
+            if (size > maxSize) {
+                throw new IOException(
+                        "Signature is too long. Max allowed is " + INCFS_MAX_SIGNATURE_SIZE);
+            }
             final byte[] bytes = new byte[size];
             readFully(stream, bytes);
             return bytes;