diff options
author | Kelvin Zhang <zhangkelvin@google.com> | 2020-09-19 02:51:22 +0200 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2020-09-19 02:51:22 +0200 |
commit | c1d2c15785043f5b45082d005d753e830ce602f0 (patch) | |
tree | f892e9ca467b4f751345a2a3200caf8903a217c9 /updater | |
parent | Merge "Merge mainline-release 6664920 to master - DO NOT MERGE" (diff) | |
parent | Check for overflow before allocating memory fore decompression. (diff) | |
download | android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.tar android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.tar.gz android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.tar.bz2 android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.tar.lz android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.tar.xz android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.tar.zst android_bootable_recovery-c1d2c15785043f5b45082d005d753e830ce602f0.zip |
Diffstat (limited to '')
-rw-r--r-- | updater/install.cpp | 6 | ||||
-rw-r--r-- | updater/target_files.cpp | 7 | ||||
-rw-r--r-- | updater/updater.cpp | 7 |
3 files changed, 19 insertions, 1 deletions
diff --git a/updater/install.cpp b/updater/install.cpp index cfa4d9d82..295965047 100644 --- a/updater/install.cpp +++ b/updater/install.cpp @@ -35,6 +35,7 @@ #include <unistd.h> #include <utime.h> +#include <limits> #include <memory> #include <string> #include <vector> @@ -172,6 +173,11 @@ Value* PackageExtractFileFn(const char* name, State* state, } std::string buffer; + if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) { + return ErrorAbort(state, kPackageExtractFileFailure, + "%s(): Entry `%s` Uncompressed size exceeds size of address space.", name, + zip_path.c_str()); + } buffer.resize(entry.uncompressed_length); int32_t ret = diff --git a/updater/target_files.cpp b/updater/target_files.cpp index 951923293..207146f52 100644 --- a/updater/target_files.cpp +++ b/updater/target_files.cpp @@ -137,6 +137,13 @@ bool TargetFile::ReadEntryToString(const std::string_view name, std::string* con return true; } + if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << name + << " because's uncompressed size exceeds size of address space. " + << entry.uncompressed_length; + return false; + } + content->resize(entry.uncompressed_length); if (auto extract_err = ExtractToMemory( handle_, &entry, reinterpret_cast<uint8_t*>(&content->at(0)), entry.uncompressed_length); diff --git a/updater/updater.cpp b/updater/updater.cpp index 73ca0e532..c52673462 100644 --- a/updater/updater.cpp +++ b/updater/updater.cpp @@ -170,7 +170,12 @@ bool Updater::ReadEntryToString(ZipArchiveHandle za, const std::string& entry_na << " in the package: " << ErrorCodeString(find_err); return false; } - + if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << entry_name + << " because's uncompressed size exceeds size of address space. " + << entry.uncompressed_length; + return false; + } content->resize(entry.uncompressed_length); int extract_err = ExtractToMemory(za, &entry, reinterpret_cast<uint8_t*>(&content->at(0)), entry.uncompressed_length); |