From f69e6a9475983b2ad46729e44ab58d2b22cd74d0 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Fri, 16 Dec 2016 14:27:55 -0800 Subject: Add a checker for signature boundary in verifier The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 --- tests/testdata/signature-boundary.zip | Bin 0 -> 22 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 tests/testdata/signature-boundary.zip (limited to 'tests/testdata') diff --git a/tests/testdata/signature-boundary.zip b/tests/testdata/signature-boundary.zip new file mode 100644 index 000000000..64a3cfa15 Binary files /dev/null and b/tests/testdata/signature-boundary.zip differ -- cgit v1.2.3