From d1ba38f7c96e74901779089fea6d09b0c7c2521d Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Thu, 17 Sep 2020 11:32:29 -0400 Subject: Check for overflow before allocating memory fore decompression. On 32bit devices, an ZipEntry64 may have size > 2^32, we should check for such cases before attempting to allocate memory. Test: mm -j Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce --- install/wipe_device.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'install/wipe_device.cpp') diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp index 0f896c43b..915c87b45 100644 --- a/install/wipe_device.cpp +++ b/install/wipe_device.cpp @@ -51,7 +51,12 @@ std::vector GetWipePartitionList(Package* wipe_package) { std::string partition_list_content; ZipEntry64 entry; if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) { - uint32_t length = entry.uncompressed_length; + auto length = entry.uncompressed_length; + if (length > std::numeric_limits::max()) { + LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME + << " because's uncompressed size exceeds size of address space. " << length; + return {}; + } partition_list_content = std::string(length, '\0'); if (auto err = ExtractToMemory( zip, &entry, reinterpret_cast(partition_list_content.data()), length); -- cgit v1.2.3