diff options
| author | Doug Zongker <dougz@google.com> | 2014-05-16 16:58:32 +0200 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2014-05-16 16:58:33 +0200 |
| commit | 3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd (patch) | |
| tree | b0e672cc873eba3b530132f139eb77e4b31661c6 | |
| parent | Merge "Support BGRA framebuffer" (diff) | |
| parent | fix vulnerability in bspatch (diff) | |
| download | android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.gz android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.bz2 android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.lz android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.xz android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.zst android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.zip | |
| -rw-r--r-- | applypatch/bspatch.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c index 2e80f81d0..1dc7ab10b 100644 --- a/applypatch/bspatch.c +++ b/applypatch/bspatch.c @@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size, ctrl[1] = offtin(buf+8); ctrl[2] = offtin(buf+16); + if (ctrl[0] < 0 || ctrl[1] < 0) { + printf("corrupt patch (negative byte counts)\n"); + return 1; + } + // Sanity check if (newpos + ctrl[0] > *new_size) { printf("corrupt patch (new file overrun)\n"); |