DO NOT MERGE: Initialize the ZipArchive to zero before parsing
The fields of the ZipArchive on the stack are not initialized before we call libminzip to parse the zip file. As a result, some random memory location is freed unintentionally when we close the ZipArchive upon parsing failures. Bug: 35385357 Test: recompile and run the poc with asan. Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
This commit is contained in:
+1
-1
@@ -481,7 +481,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount,
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Try to open the package.
|
// Try to open the package.
|
||||||
ZipArchive zip;
|
ZipArchive zip = {};
|
||||||
int err = mzOpenZipArchive(map.addr, map.length, &zip);
|
int err = mzOpenZipArchive(map.addr, map.length, &zip);
|
||||||
if (err != 0) {
|
if (err != 0) {
|
||||||
LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
|
LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
|
||||||
|
|||||||
+1
-1
@@ -77,7 +77,7 @@ int main(int argc, char** argv) {
|
|||||||
printf("failed to map package %s\n", argv[3]);
|
printf("failed to map package %s\n", argv[3]);
|
||||||
return 3;
|
return 3;
|
||||||
}
|
}
|
||||||
ZipArchive za;
|
ZipArchive za = {};
|
||||||
int err;
|
int err;
|
||||||
err = mzOpenZipArchive(map.addr, map.length, &za);
|
err = mzOpenZipArchive(map.addr, map.length, &za);
|
||||||
if (err != 0) {
|
if (err != 0) {
|
||||||
|
|||||||
Reference in New Issue
Block a user