From ad34986480edbf4e73804eb4ff300f96d9afa0a4 Mon Sep 17 00:00:00 2001
From: 115ek <e.blosz@hotmail.de>
Date: Mon, 23 Jan 2017 18:22:20 +0100
Subject: Rename process_key to ProcessKey

This fixes an undeclared indentifier error (maybe because function was renamed in the past...)

Change-Id: I16b7d93182ed8c9efede3fbaff73d57d74732b4b
(cherry picked from commit e946931ed6ec8df12c12ad249a2df8003e3a0a28)
---
 ui.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ui.cpp b/ui.cpp
index d1eca91..c7268fb 100644
--- a/ui.cpp
+++ b/ui.cpp
@@ -444,12 +444,12 @@ void RecoveryUI::ProcessRel(input_device* dev, int code, int value) {
         // key event.
         dev->rel_sum += value;
         if (dev->rel_sum > 3) {
-            process_key(dev, KEY_DOWN, 1);   // press down key
-            process_key(dev, KEY_DOWN, 0);   // and release it
+            ProcessKey(dev, KEY_DOWN, 1);   // press down key
+            ProcessKey(dev, KEY_DOWN, 0);   // and release it
             dev->rel_sum = 0;
         } else if (dev->rel_sum < -3) {
-            process_key(dev, KEY_UP, 1);     // press up key
-            process_key(dev, KEY_UP, 0);     // and release it
+            ProcessKey(dev, KEY_UP, 1);     // press up key
+            ProcessKey(dev, KEY_UP, 0);     // and release it
             dev->rel_sum = 0;
         }
     }
-- 
cgit v1.1


From 735e1195c28a628731d3e31f76d8dc3f8a1b9fe6 Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Fri, 16 Dec 2016 16:24:09 -0800
Subject: Add a checker for signature boundary in verifier

The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.

Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.

CVE-2017-0475

Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0)
(cherry picked from commit 54ea136fded56810bf475885eb4bd7bf1b11f09c)
(cherry picked from commit 2c6c23f651abb3d215134dfba463eb72a5e9f8eb)
---
 verifier.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/verifier.cpp b/verifier.cpp
index 61e5adf..bf7071d 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -144,6 +144,12 @@ int verify_file(unsigned char* addr, size_t length,
     LOGI("comment is %zu bytes; signature %zu bytes from end\n",
          comment_size, signature_start);
 
+    if (signature_start > comment_size) {
+        LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
+             comment_size);
+        return VERIFY_FAILURE;
+    }
+
     if (signature_start <= FOOTER_SIZE) {
         LOGE("Signature start is in the footer");
         return VERIFY_FAILURE;
-- 
cgit v1.1