diff options
| author | Doug Zongker <dougz@google.com> | 2014-05-13 08:40:49 -0700 |
|---|---|---|
| committer | Doug Zongker <dougz@google.com> | 2014-05-13 08:40:49 -0700 |
| commit | 4aa12dd0decafb139239779ab38e6ffda23109ab (patch) | |
| tree | 53ae20bf4f591492bc8eae4df55223434052ad8d /applypatch | |
| parent | 1c2cf1db0db2c9e9310d27bdc19c605f5537b72f (diff) | |
| download | bootable_recovery-4aa12dd0decafb139239779ab38e6ffda23109ab.zip bootable_recovery-4aa12dd0decafb139239779ab38e6ffda23109ab.tar.gz bootable_recovery-4aa12dd0decafb139239779ab38e6ffda23109ab.tar.bz2 | |
fix vulnerability in bspatch
Patches with control data tuples with negative numbers in the first
and/or second can cause bspatch to write to arbitrary locations in the
heap.
Change-Id: I8c5d81948be773e6483241131d3d166b6da27cb8
Diffstat (limited to 'applypatch')
| -rw-r--r-- | applypatch/bspatch.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c index 2e80f81..1dc7ab1 100644 --- a/applypatch/bspatch.c +++ b/applypatch/bspatch.c @@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size, ctrl[1] = offtin(buf+8); ctrl[2] = offtin(buf+16); + if (ctrl[0] < 0 || ctrl[1] < 0) { + printf("corrupt patch (negative byte counts)\n"); + return 1; + } + // Sanity check if (newpos + ctrl[0] > *new_size) { printf("corrupt patch (new file overrun)\n"); |