tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix out of bound access in libziparchive

Browse source 
The boundary check of an invalid EOCD record may succeed due to the
overflow of uint32_t. Fix the check.

Test: Open the crash.apk and libziparchive reports the offset error as expected.

Bug: 31251826
Change-Id: I1d8092a19b73886a671bc9d291cfc27d65e3d236
(cherry picked from commit ae8180c06d)
This commit is contained in:
Tianjie Xu 2016-09-21 14:58:11 -07:00
parent 61f27551c7
commit 1ee4892e66
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
libziparchive/zip_archive.cc
View file

@ -501,9 +501,14 @@ static int32_t MapCentralDirectory0(int fd, const char* debug_file_name,
* Grab the CD offset and size, and the number of entries in the
* archive and verify that they look reasonable.
*/
if (eocd->cd_start_offset + eocd->cd_size > eocd_offset) {
if (static_cast<off64_t>(eocd->cd_start_offset) + eocd->cd_size > eocd_offset) {
ALOGW("Zip: bad offsets (dir %" PRIu32 ", size %" PRIu32 ", eocd %" PRId64 ")",
eocd->cd_start_offset, eocd->cd_size, static_cast<int64_t>(eocd_offset));
#if defined(__ANDROID__)
if (eocd->cd_start_offset + eocd->cd_size <= eocd_offset) {
android_errorWriteLog(0x534e4554, "31251826");
}
#endif
return kInvalidOffset;
}
if (eocd->num_records == 0) {