tequilaOS/platform_bootable_recovery
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

applypatch: Don't call inflate() when it expects zero-length output.

Browse source 
We may have expanded_len == 0 when calling inflate(). After switching to
using std::vector, it passes a nullptr buffer to inflate() and leads to
Z_STREAM_ERROR.

Bug: 29312140
Change-Id: Iab7c6c07a9e8488e844e7cdda76d02bd60d2ea98
This commit is contained in:
Tao Bao 2016-06-13 16:39:34 -07:00
parent b0ddae55e5
commit 490fad6791
1 changed files with 63 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
applypatch/imgpatch.cpp
View file

@ -151,40 +151,45 @@ int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size,
size_t bonus_size = (i == 1 && bonus_data != NULL) ? bonus_data->size : 0; size_t bonus_size = (i == 1 && bonus_data != NULL) ? bonus_data->size : 0;
std::vector<unsigned char> expanded_source(expanded_len); std::vector<unsigned char> expanded_source(expanded_len);
z_stream strm;
strm.zalloc = Z_NULL;
strm.zfree = Z_NULL;
strm.opaque = Z_NULL;
strm.avail_in = src_len;
strm.next_in = (unsigned char*)(old_data + src_start);
strm.avail_out = expanded_len;
strm.next_out = expanded_source.data();
int ret; // inflate() doesn't like strm.next_out being a nullptr even with
ret = inflateInit2(&strm, -15); // avail_out being zero (Z_STREAM_ERROR).
if (ret != Z_OK) { if (expanded_len != 0) {
printf("failed to init source inflation: %d\n", ret); z_stream strm;
return -1; strm.zalloc = Z_NULL;
} strm.zfree = Z_NULL;
strm.opaque = Z_NULL;
strm.avail_in = src_len;
strm.next_in = (unsigned char*)(old_data + src_start);
strm.avail_out = expanded_len;
strm.next_out = expanded_source.data();
// Because we've provided enough room to accommodate the output int ret;
// data, we expect one call to inflate() to suffice. ret = inflateInit2(&strm, -15);
ret = inflate(&strm, Z_SYNC_FLUSH); if (ret != Z_OK) {
if (ret != Z_STREAM_END) { printf("failed to init source inflation: %d\n", ret);
printf("source inflation returned %d\n", ret); return -1;
return -1; }
}
// We should have filled the output buffer exactly, except
// for the bonus_size.
if (strm.avail_out != bonus_size) {
printf("source inflation short by %zu bytes\n", strm.avail_out-bonus_size);
return -1;
}
inflateEnd(&strm);
if (bonus_size) { // Because we've provided enough room to accommodate the output
memcpy(expanded_source.data() + (expanded_len - bonus_size), // data, we expect one call to inflate() to suffice.
bonus_data->data, bonus_size); ret = inflate(&strm, Z_SYNC_FLUSH);
if (ret != Z_STREAM_END) {
printf("source inflation returned %d\n", ret);
return -1;
}
// We should have filled the output buffer exactly, except
// for the bonus_size.
if (strm.avail_out != bonus_size) {
printf("source inflation short by %zu bytes\n", strm.avail_out-bonus_size);
return -1;
}
inflateEnd(&strm);
if (bonus_size) {
memcpy(expanded_source.data() + (expanded_len - bonus_size),
bonus_data->data, bonus_size);
}
} }
// Next, apply the bsdiff patch (in memory) to the uncompressed // Next, apply the bsdiff patch (in memory) to the uncompressed
@ -203,33 +208,37 @@ int ApplyImagePatch(const unsigned char* old_data, ssize_t old_size,
if (expanded_source.size() < 32768U) { if (expanded_source.size() < 32768U) {
expanded_source.resize(32768U); expanded_source.resize(32768U);
} }
std::vector<unsigned char>& temp_data = expanded_source;
// now the deflate stream {
strm.zalloc = Z_NULL; std::vector<unsigned char>& temp_data = expanded_source;
strm.zfree = Z_NULL;
strm.opaque = Z_NULL;
strm.avail_in = uncompressed_target_data.size();
strm.next_in = uncompressed_target_data.data();
ret = deflateInit2(&strm, level, method, windowBits, memLevel, strategy);
if (ret != Z_OK) {
printf("failed to init uncompressed data deflation: %d\n", ret);
return -1;
}
do {
strm.avail_out = temp_data.size();
strm.next_out = temp_data.data();
ret = deflate(&strm, Z_FINISH);
ssize_t have = temp_data.size() - strm.avail_out;
if (sink(temp_data.data(), have, token) != have) { // now the deflate stream
printf("failed to write %ld compressed bytes to output\n", z_stream strm;
(long)have); strm.zalloc = Z_NULL;
strm.zfree = Z_NULL;
strm.opaque = Z_NULL;
strm.avail_in = uncompressed_target_data.size();
strm.next_in = uncompressed_target_data.data();
int ret = deflateInit2(&strm, level, method, windowBits, memLevel, strategy);
if (ret != Z_OK) {
printf("failed to init uncompressed data deflation: %d\n", ret);
return -1; return -1;
} }
if (ctx) SHA1_Update(ctx, temp_data.data(), have); do {
} while (ret != Z_STREAM_END); strm.avail_out = temp_data.size();
deflateEnd(&strm); strm.next_out = temp_data.data();
ret = deflate(&strm, Z_FINISH);
ssize_t have = temp_data.size() - strm.avail_out;
if (sink(temp_data.data(), have, token) != have) {
printf("failed to write %ld compressed bytes to output\n",
(long)have);
return -1;
}
if (ctx) SHA1_Update(ctx, temp_data.data(), have);
} while (ret != Z_STREAM_END);
deflateEnd(&strm);
}
} else { } else {
printf("patch chunk %d is unknown type %d\n", i, type); printf("patch chunk %d is unknown type %d\n", i, type);
return -1; return -1;