From 3b0f4847762a208e6cd166d420e15b0bf013e612 Mon Sep 17 00:00:00 2001
From: Steve Kondik <shade@chemlab.org>
Date: Wed, 9 Dec 2009 01:31:06 -0500
Subject: Security: Fix typo in recovery EOCD detection.

This issue results in the ability to modify the contents of a signed
OTA recovery image.
---
 verifier.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/verifier.c b/verifier.c
index f2491a14a..164fb4a01 100644
--- a/verifier.c
+++ b/verifier.c
@@ -123,7 +123,7 @@ int verify_file(const char* path, const RSAPublicKey *pKeys, unsigned int numKey
     int i;
     for (i = 4; i < eocd_size-3; ++i) {
         if (eocd[i  ] == 0x50 && eocd[i+1] == 0x4b &&
-            eocd[i+2] == 0x05 && eocd[i+1] == 0x06) {
+            eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
             // if the sequence $50 $4b $05 $06 appears anywhere after
             // the real one, minzip will find the later (wrong) one,
             // which could be exploitable.  Fail verification if
-- 
cgit v1.2.3