diff options
| author | Sami Tolvanen <samitolvanen@google.com> | 2015-05-18 11:31:58 +0200 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-05-18 11:31:58 +0200 |
| commit | b135645c31bdb1f969453623c1e3f4b45508779f (patch) | |
| tree | 1a68a3d1408fc041a49d294f198116c219d19d70 | |
| parent | am 1857a7f5: Don\'t use TEMP_FAILURE_RETRY on close in recovery. (diff) | |
| parent | am 6253753a: Merge "Add error and range checks to parse_range" (diff) | |
| download | android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.tar android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.tar.gz android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.tar.bz2 android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.tar.lz android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.tar.xz android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.tar.zst android_bootable_recovery-b135645c31bdb1f969453623c1e3f4b45508779f.zip | |
| -rw-r--r-- | updater/blockimg.c | 81 |
1 files changed, 71 insertions, 10 deletions
diff --git a/updater/blockimg.c b/updater/blockimg.c index a0e9aec6a..ce6360099 100644 --- a/updater/blockimg.c +++ b/updater/blockimg.c @@ -60,30 +60,91 @@ typedef struct { int pos[0]; } RangeSet; +#define RANGESET_MAX_POINTS \ + ((int)((INT_MAX / sizeof(int)) - sizeof(RangeSet))) + static RangeSet* parse_range(char* text) { char* save; - int num; - num = strtol(strtok_r(text, ",", &save), NULL, 0); + char* token; + int i, num; + long int val; + RangeSet* out = NULL; + size_t bufsize; - RangeSet* out = malloc(sizeof(RangeSet) + num * sizeof(int)); - if (out == NULL) { - fprintf(stderr, "failed to allocate range of %zu bytes\n", - sizeof(RangeSet) + num * sizeof(int)); - exit(1); + if (!text) { + goto err; + } + + token = strtok_r(text, ",", &save); + + if (!token) { + goto err; + } + + val = strtol(token, NULL, 0); + + if (val < 2 || val > RANGESET_MAX_POINTS) { + goto err; + } else if (val % 2) { + goto err; // must be even + } + + num = (int) val; + bufsize = sizeof(RangeSet) + num * sizeof(int); + + out = malloc(bufsize); + + if (!out) { + fprintf(stderr, "failed to allocate range of %zu bytes\n", bufsize); + goto err; } + out->count = num / 2; out->size = 0; - int i; + for (i = 0; i < num; ++i) { - out->pos[i] = strtol(strtok_r(NULL, ",", &save), NULL, 0); - if (i%2) { + token = strtok_r(NULL, ",", &save); + + if (!token) { + goto err; + } + + val = strtol(token, NULL, 0); + + if (val < 0 || val > INT_MAX) { + goto err; + } + + out->pos[i] = (int) val; + + if (i % 2) { + if (out->pos[i - 1] >= out->pos[i]) { + goto err; // empty or negative range + } + + if (out->size > INT_MAX - out->pos[i]) { + goto err; // overflow + } + out->size += out->pos[i]; } else { + if (out->size < 0) { + goto err; + } + out->size -= out->pos[i]; } } + if (out->size <= 0) { + goto err; + } + return out; + +err: + fprintf(stderr, "failed to parse range '%s'\n", text ? text : "NULL"); + exit(1); } static int range_overlaps(RangeSet* r1, RangeSet* r2) { |