system/core
| 修订版 | e8e6d11d9982a70ffaf07d7408994436b5ea788e (tree) |
|---|---|
| 时间 | 2016-11-04 06:00:24 |
| 作者 | Tianjie Xu <xunchang@goog...> |
| Commiter | gitbuildkicker |
Fix out of bound access in libziparchive
The boundary check of an invalid EOCD record may succeed due to the
overflow of uint32_t. Fix the check.
Test: Open the crash.apk and libziparchive reports the offset error as expected.
Bug: 31251826
Change-Id: I1d8092a19b73886a671bc9d291cfc27d65e3d236
(cherry picked from commit ae8180c06dee228cd1378c56afa6020ae98d8a24)
(cherry picked from commit 1ee4892e66ba314131b7ecf17e98bb1762c4b84c)
libziparchive/zip_archive.cc (diff)| @@ -463,9 +463,14 @@ static int32_t MapCentralDirectory0(int fd, const char* debug_file_name, | ||
| 463 | 463 | * Grab the CD offset and size, and the number of entries in the |
| 464 | 464 | * archive and verify that they look reasonable. |
| 465 | 465 | */ |
| 466 | - if (eocd->cd_start_offset + eocd->cd_size > eocd_offset) { | |
| 466 | + if (static_cast<off64_t>(eocd->cd_start_offset) + eocd->cd_size > eocd_offset) { | |
| 467 | 467 | ALOGW("Zip: bad offsets (dir %" PRIu32 ", size %" PRIu32 ", eocd %" PRId64 ")", |
| 468 | 468 | eocd->cd_start_offset, eocd->cd_size, static_cast<int64_t>(eocd_offset)); |
| 469 | +#if defined(__ANDROID__) | |
| 470 | + if (eocd->cd_start_offset + eocd->cd_size <= eocd_offset) { | |
| 471 | + android_errorWriteLog(0x534e4554, "31251826"); | |
| 472 | + } | |
| 473 | +#endif | |
| 469 | 474 | return kInvalidOffset; |
| 470 | 475 | } |
| 471 | 476 | if (eocd->num_records == 0) { |
Fork