summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug Zongker <dougz@google.com>2014-05-16 16:58:32 +0200
committerGerrit Code Review <noreply-gerritcodereview@google.com>2014-05-16 16:58:33 +0200
commit3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd (patch)
treeb0e672cc873eba3b530132f139eb77e4b31661c6
parentMerge "Support BGRA framebuffer" (diff)
parentfix vulnerability in bspatch (diff)
downloadandroid_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar
android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.gz
android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.bz2
android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.lz
android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.xz
android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.tar.zst
android_bootable_recovery-3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd.zip
-rw-r--r--applypatch/bspatch.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c
index 2e80f81d0..1dc7ab10b 100644
--- a/applypatch/bspatch.c
+++ b/applypatch/bspatch.c
@@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
ctrl[1] = offtin(buf+8);
ctrl[2] = offtin(buf+16);
+ if (ctrl[0] < 0 || ctrl[1] < 0) {
+ printf("corrupt patch (negative byte counts)\n");
+ return 1;
+ }
+
// Sanity check
if (newpos + ctrl[0] > *new_size) {
printf("corrupt patch (new file overrun)\n");