Add a checker for signature boundary in verifier

The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 (cherry-picked from f69e6a9475)
2016-12-16 16:24:09 -08:00
parent 36acff7d7e
commit 54ea136fde
1 changed files with 6 additions and 0 deletions
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -143,6 +143,12 @@ int verify_file(unsigned char* addr, size_t length,
    LOGI("comment is %zu bytes; signature %zu bytes from end\n",
         comment_size, signature_start);

+    if (signature_start > comment_size) {
+        LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
+             comment_size);
+        return VERIFY_FAILURE;
+    }
+
    if (signature_start <= FOOTER_SIZE) {
        LOGE("Signature start is in the footer");
        return VERIFY_FAILURE;