1 files changed, 75 insertions, 39 deletions

diff --git a/minzip/SysUtil.c b/minzip/SysUtil.c
index 0ac1fa9b8..9c3575b9c 100644
--- a/minzip/SysUtil.c
+++ b/minzip/SysUtil.c
@@ -3,17 +3,18 @@
  *
  * System utilities.
  */
-#include <stdlib.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdbool.h>
 #include <stdio.h>
-#include <unistd.h>
+#include <stdlib.h>
 #include <string.h>
 #include <sys/mman.h>
-#include <sys/types.h>
 #include <sys/stat.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <errno.h>
-#include <assert.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 #define LOG_TAG "sysutil"
 #include "Log.h"
@@ -57,8 +58,7 @@ static int getFileStartAndLength(int fd, loff_t *start_, size_t *length_)
  * On success, returns 0 and fills out "pMap".  On failure, returns a nonzero
  * value and does not disturb "pMap".
  */
-static int sysMapFD(int fd, MemMapping* pMap)
-{
+static bool sysMapFD(int fd, MemMapping* pMap) {
     loff_t start;
     size_t length;
     void* memPtr;
@@ -75,19 +75,23 @@ static int sysMapFD(int fd, MemMapping* pMap)
     memPtr = mmap(NULL, length, PROT_READ, MAP_PRIVATE, fd, start);
 #endif
     if (memPtr == MAP_FAILED) {
-        LOGW("mmap(%d, R, PRIVATE, %d, %d) failed: %s\n", (int) length,
-            fd, (int) start, strerror(errno));
-        return -1;
+        LOGE("mmap(%d, R, PRIVATE, %d, 0) failed: %s\n", (int) length, fd, strerror(errno));
+        return false;
     }
 
     pMap->addr = memPtr;
     pMap->length = length;
     pMap->range_count = 1;
     pMap->ranges = malloc(sizeof(MappedRange));
+    if (pMap->ranges == NULL) {
+        LOGE("malloc failed: %s\n", strerror(errno));
+        munmap(memPtr, length);
+        return false;
+    }
     pMap->ranges[0].addr = memPtr;
     pMap->ranges[0].length = length;
 
-    return 0;
+    return true;
 }
 
 static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
@@ -95,12 +99,12 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
     char block_dev[PATH_MAX+1];
     size_t size;
     unsigned int blksize;
-    unsigned int blocks;
+    size_t blocks;
     unsigned int range_count;
     unsigned int i;
 
     if (fgets(block_dev, sizeof(block_dev), mapf) == NULL) {
-        LOGW("failed to read block device from header\n");
+        LOGE("failed to read block device from header\n");
         return -1;
     }
     for (i = 0; i < sizeof(block_dev); ++i) {
@@ -111,15 +115,24 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
     }
 
     if (fscanf(mapf, "%zu %u\n%u\n", &size, &blksize, &range_count) != 3) {
-        LOGW("failed to parse block map header\n");
+        LOGE("failed to parse block map header\n");
+        return -1;
+    }
+    if (blksize != 0) {
+        blocks = ((size-1) / blksize) + 1;
+    }
+    if (size == 0 || blksize == 0 || blocks > SIZE_MAX / blksize || range_count == 0) {
+        LOGE("invalid data in block map file: size %zu, blksize %u, range_count %u\n",
+             size, blksize, range_count);
         return -1;
     }
-
-    blocks = ((size-1) / blksize) + 1;
 
     pMap->range_count = range_count;
-    pMap->ranges = malloc(range_count * sizeof(MappedRange));
-    memset(pMap->ranges, 0, range_count * sizeof(MappedRange));
+    pMap->ranges = calloc(range_count, sizeof(MappedRange));
+    if (pMap->ranges == NULL) {
+        LOGE("calloc(%u, %zu) failed: %s\n", range_count, sizeof(MappedRange), strerror(errno));
+        return -1;
+    }
 
     // Reserve enough contiguous address space for the whole file.
     unsigned char* reserve;
@@ -130,25 +143,34 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
     reserve = mmap(NULL, blocks * blksize, PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
 #endif
     if (reserve == MAP_FAILED) {
-        LOGW("failed to reserve address space: %s\n", strerror(errno));
+        LOGE("failed to reserve address space: %s\n", strerror(errno));
+        free(pMap->ranges);
         return -1;
     }
 
-    pMap->ranges[range_count-1].addr = reserve;
-    pMap->ranges[range_count-1].length = blocks * blksize;
-
     int fd = open(block_dev, O_RDONLY);
     if (fd < 0) {
-        LOGW("failed to open block device %s: %s\n", block_dev, strerror(errno));
+        LOGE("failed to open block device %s: %s\n", block_dev, strerror(errno));
+        munmap(reserve, blocks * blksize);
+        free(pMap->ranges);
         return -1;
     }
 
     unsigned char* next = reserve;
+    size_t remaining_size = blocks * blksize;
+    bool success = true;
     for (i = 0; i < range_count; ++i) {
-        int start, end;
-        if (fscanf(mapf, "%d %d\n", &start, &end) != 2) {
-            LOGW("failed to parse range %d in block map\n", i);
-            return -1;
+        size_t start, end;
+        if (fscanf(mapf, "%zu %zu\n", &start, &end) != 2) {
+            LOGE("failed to parse range %d in block map\n", i);
+            success = false;
+            break;
+        }
+        size_t length = (end - start) * blksize;
+        if (end <= start || (end - start) > SIZE_MAX / blksize || length > remaining_size) {
+          LOGE("unexpected range in block map: %zu %zu\n", start, end);
+          success = false;
+          break;
         }
 #if (PLATFORM_SDK_VERSION >= 21)
         void* addr = mmap64(next, (end-start)*blksize, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize);
@@ -157,15 +179,28 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap)
         void* addr = mmap(next, (end-start)*blksize, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize);
 #endif
         if (addr == MAP_FAILED) {
-            LOGW("failed to map block %d: %s\n", i, strerror(errno));
-            return -1;
+            LOGE("failed to map block %d: %s\n", i, strerror(errno));
+            success = false;
+            break;
         }
         pMap->ranges[i].addr = addr;
-        pMap->ranges[i].length = (end-start)*blksize;
+        pMap->ranges[i].length = length;
 
-        next += pMap->ranges[i].length;
+        next += length;
+        remaining_size -= length;
+    }
+    if (success && remaining_size != 0) {
+      LOGE("ranges in block map are invalid: remaining_size = %zu\n", remaining_size);
+      success = false;
+    }
+    if (!success) {
+      close(fd);
+      munmap(reserve, blocks * blksize);
+      free(pMap->ranges);
+      return -1;
     }
 
+    close(fd);
     pMap->addr = reserve;
     pMap->length = size;
 
@@ -182,25 +217,26 @@ int sysMapFile(const char* fn, MemMapping* pMap)
         // A map of blocks
         FILE* mapf = fopen(fn+1, "r");
         if (mapf == NULL) {
-            LOGV("Unable to open '%s': %s\n", fn+1, strerror(errno));
+            LOGE("Unable to open '%s': %s\n", fn+1, strerror(errno));
             return -1;
         }
 
         if (sysMapBlockFile(mapf, pMap) != 0) {
-            LOGW("Map of '%s' failed\n", fn);
+            LOGE("Map of '%s' failed\n", fn);
+            fclose(mapf);
             return -1;
         }
 
         fclose(mapf);
     } else {
         // This is a regular file.
-        int fd = open(fn, O_RDONLY, 0);
-        if (fd < 0) {
+        int fd = open(fn, O_RDONLY);
+        if (fd == -1) {
             LOGE("Unable to open '%s': %s\n", fn, strerror(errno));
             return -1;
         }
 
-        if (sysMapFD(fd, pMap) != 0) {
+        if (!sysMapFD(fd, pMap)) {
             LOGE("Map of '%s' failed\n", fn);
             close(fd);
             return -1;
@@ -219,7 +255,7 @@ void sysReleaseMap(MemMapping* pMap)
     int i;
     for (i = 0; i < pMap->range_count; ++i) {
         if (munmap(pMap->ranges[i].addr, pMap->ranges[i].length) < 0) {
-            LOGW("munmap(%p, %d) failed: %s\n",
+            LOGE("munmap(%p, %d) failed: %s\n",
                  pMap->ranges[i].addr, (int)pMap->ranges[i].length, strerror(errno));
         }
     }