PawletOS/android_bootable_recovery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix vulnerability in bspatch

Browse Source 
Patches with control data tuples with negative numbers in the first
and/or second can cause bspatch to write to arbitrary locations in the
heap.

Change-Id: I8c5d81948be773e6483241131d3d166b6da27cb8
This commit is contained in:
Doug Zongker
2014-05-13 08:40:49 -07:00
parent 1c2cf1db0d
commit 4aa12dd0de
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
applypatch/bspatch.c
View File

@@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
ctrl[1] = offtin(buf+8);
ctrl[2] = offtin(buf+16);
if (ctrl[0] < 0 || ctrl[1] < 0) {
printf("corrupt patch (negative byte counts)\n");
return 1;
}
// Sanity check
if (newpos + ctrl[0] > *new_size) {
printf("corrupt patch (new file overrun)\n");