aboutsummaryrefslogtreecommitdiffstats
path: root/applypatch
diff options
context:
space:
mode:
authorDoug Zongker <dougz@google.com>2014-05-13 08:40:49 -0700
committerDoug Zongker <dougz@google.com>2014-05-13 08:40:49 -0700
commit4aa12dd0decafb139239779ab38e6ffda23109ab (patch)
tree53ae20bf4f591492bc8eae4df55223434052ad8d /applypatch
parent1c2cf1db0db2c9e9310d27bdc19c605f5537b72f (diff)
downloadbootable_recovery-4aa12dd0decafb139239779ab38e6ffda23109ab.zip
bootable_recovery-4aa12dd0decafb139239779ab38e6ffda23109ab.tar.gz
bootable_recovery-4aa12dd0decafb139239779ab38e6ffda23109ab.tar.bz2
fix vulnerability in bspatch
Patches with control data tuples with negative numbers in the first and/or second can cause bspatch to write to arbitrary locations in the heap. Change-Id: I8c5d81948be773e6483241131d3d166b6da27cb8
Diffstat (limited to 'applypatch')
-rw-r--r--applypatch/bspatch.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c
index 2e80f81..1dc7ab1 100644
--- a/applypatch/bspatch.c
+++ b/applypatch/bspatch.c
@@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
ctrl[1] = offtin(buf+8);
ctrl[2] = offtin(buf+16);
+ if (ctrl[0] < 0 || ctrl[1] < 0) {
+ printf("corrupt patch (negative byte counts)\n");
+ return 1;
+ }
+
// Sanity check
if (newpos + ctrl[0] > *new_size) {
printf("corrupt patch (new file overrun)\n");