From 4aa12dd0decafb139239779ab38e6ffda23109ab Mon Sep 17 00:00:00 2001 From: Doug Zongker Date: Tue, 13 May 2014 08:40:49 -0700 Subject: fix vulnerability in bspatch Patches with control data tuples with negative numbers in the first and/or second can cause bspatch to write to arbitrary locations in the heap. Change-Id: I8c5d81948be773e6483241131d3d166b6da27cb8 --- applypatch/bspatch.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'applypatch') diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c index 2e80f81..1dc7ab1 100644 --- a/applypatch/bspatch.c +++ b/applypatch/bspatch.c @@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size, ctrl[1] = offtin(buf+8); ctrl[2] = offtin(buf+16); + if (ctrl[0] < 0 || ctrl[1] < 0) { + printf("corrupt patch (negative byte counts)\n"); + return 1; + } + // Sanity check if (newpos + ctrl[0] > *new_size) { printf("corrupt patch (new file overrun)\n"); -- cgit v1.1