diff options
| author | Kelvin Zhang <zhangkelvin@google.com> | 2020-09-19 07:35:04 +0200 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-09-19 07:35:04 +0200 |
| commit | 115a0172189a09e73bc010b377c8a68d8c6d3b8c (patch) | |
| tree | f892e9ca467b4f751345a2a3200caf8903a217c9 /install | |
| parent | Merge "Merge mainline-release 6664920 to master - DO NOT MERGE" am: 7a899bb461 (diff) | |
| parent | Merge "Check for overflow before allocating memory fore decompression." (diff) | |
| download | android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.tar android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.tar.gz android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.tar.bz2 android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.tar.lz android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.tar.xz android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.tar.zst android_bootable_recovery-115a0172189a09e73bc010b377c8a68d8c6d3b8c.zip | |
Diffstat (limited to 'install')
| -rw-r--r-- | install/install.cpp | 8 | ||||
| -rw-r--r-- | install/verifier.cpp | 6 | ||||
| -rw-r--r-- | install/wipe_device.cpp | 7 |
3 files changed, 19 insertions, 2 deletions
diff --git a/install/install.cpp b/install/install.cpp index 753373206..1b220cb39 100644 --- a/install/install.cpp +++ b/install/install.cpp @@ -246,7 +246,13 @@ bool SetUpAbUpdateCommands(const std::string& package, ZipArchiveHandle zip, int LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD_PROPERTIES; return false; } - uint32_t properties_entry_length = properties_entry.uncompressed_length; + auto properties_entry_length = properties_entry.uncompressed_length; + if (properties_entry_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << AB_OTA_PAYLOAD_PROPERTIES + << " because's uncompressed size exceeds size of address space. " + << properties_entry_length; + return false; + } std::vector<uint8_t> payload_properties(properties_entry_length); int32_t err = ExtractToMemory(zip, &properties_entry, payload_properties.data(), properties_entry_length); diff --git a/install/verifier.cpp b/install/verifier.cpp index d8bc53f69..3f0260138 100644 --- a/install/verifier.cpp +++ b/install/verifier.cpp @@ -323,6 +323,12 @@ static std::vector<Certificate> IterateZipEntriesAndSearchForKeys(const ZipArchi std::string_view name; ZipEntry64 entry; while ((iter_status = Next(cookie, &entry, &name)) == 0) { + if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << name + << " because's uncompressed size exceeds size of address space. " + << entry.uncompressed_length; + return {}; + } std::vector<uint8_t> pem_content(entry.uncompressed_length); if (int32_t extract_status = ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size()); diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp index 0f896c43b..915c87b45 100644 --- a/install/wipe_device.cpp +++ b/install/wipe_device.cpp @@ -51,7 +51,12 @@ std::vector<std::string> GetWipePartitionList(Package* wipe_package) { std::string partition_list_content; ZipEntry64 entry; if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) { - uint32_t length = entry.uncompressed_length; + auto length = entry.uncompressed_length; + if (length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME + << " because's uncompressed size exceeds size of address space. " << length; + return {}; + } partition_list_content = std::string(length, '\0'); if (auto err = ExtractToMemory( zip, &entry, reinterpret_cast<uint8_t*>(partition_list_content.data()), length); |