PawletOS/android_bootable_recovery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

uncrypt: avoid use-after-free

Browse Source 
The `std::string package` variable goes out of scope but the input_path
variable is then used to access the memory as it's set to `c_str()`.

This was detected via OpenBSD malloc's junk filling feature.

Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
This commit is contained in:
Daniel Micay
2016-01-12 16:54:44 -05:00
committed by Tao Bao
parent 6f8b9b60db
commit c5631fc096
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
uncrypt/uncrypt.cpp
+4 -3
View File
@@ -418,8 +418,6 @@ int uncrypt(const char* input_path, const char* map_file, int status_fd) {
}
int main(int argc, char** argv) {
const char* input_path;
const char* map_file;
if (argc != 3 && argc != 1 && (argc == 2 && strcmp(argv[1], "--reboot") != 0)) {
fprintf(stderr, "usage: %s [--reboot] [<transform_path> <map_file>]\n", argv[0]);
@@ -443,13 +441,16 @@ int main(int argc, char** argv) {
}
unique_fd status_fd_holder(status_fd);
std::string package;
const char* input_path;
const char* map_file;
if (argc == 3) {
// when command-line args are given this binary is being used
// for debugging.
input_path = argv[1];
map_file = argv[2];
} else {
std::string package;
if (!find_uncrypt_package(package)) {
android::base::WriteStringToFd("-1\n", status_fd);
return 1;