From d1ba38f7c96e74901779089fea6d09b0c7c2521d Mon Sep 17 00:00:00 2001
From: Kelvin Zhang <zhangkelvin@google.com>
Date: Thu, 17 Sep 2020 11:32:29 -0400
Subject: Check for overflow before allocating memory fore decompression.

On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.

Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
---
 updater/install.cpp      | 6 ++++++
 updater/target_files.cpp | 7 +++++++
 updater/updater.cpp      | 7 ++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

(limited to 'updater')

diff --git a/updater/install.cpp b/updater/install.cpp
index cfa4d9d82..295965047 100644
--- a/updater/install.cpp
+++ b/updater/install.cpp
@@ -35,6 +35,7 @@
 #include <unistd.h>
 #include <utime.h>
 
+#include <limits>
 #include <memory>
 #include <string>
 #include <vector>
@@ -172,6 +173,11 @@ Value* PackageExtractFileFn(const char* name, State* state,
     }
 
     std::string buffer;
+    if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) {
+      return ErrorAbort(state, kPackageExtractFileFailure,
+                        "%s(): Entry `%s` Uncompressed size exceeds size of address space.", name,
+                        zip_path.c_str());
+    }
     buffer.resize(entry.uncompressed_length);
 
     int32_t ret =
diff --git a/updater/target_files.cpp b/updater/target_files.cpp
index 951923293..207146f52 100644
--- a/updater/target_files.cpp
+++ b/updater/target_files.cpp
@@ -137,6 +137,13 @@ bool TargetFile::ReadEntryToString(const std::string_view name, std::string* con
     return true;
   }
 
+  if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) {
+    LOG(ERROR) << "Failed to extract " << name
+               << " because's uncompressed size exceeds size of address space. "
+               << entry.uncompressed_length;
+    return false;
+  }
+
   content->resize(entry.uncompressed_length);
   if (auto extract_err = ExtractToMemory(
           handle_, &entry, reinterpret_cast<uint8_t*>(&content->at(0)), entry.uncompressed_length);
diff --git a/updater/updater.cpp b/updater/updater.cpp
index 73ca0e532..c52673462 100644
--- a/updater/updater.cpp
+++ b/updater/updater.cpp
@@ -170,7 +170,12 @@ bool Updater::ReadEntryToString(ZipArchiveHandle za, const std::string& entry_na
                << " in the package: " << ErrorCodeString(find_err);
     return false;
   }
-
+  if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) {
+    LOG(ERROR) << "Failed to extract " << entry_name
+               << " because's uncompressed size exceeds size of address space. "
+               << entry.uncompressed_length;
+    return false;
+  }
   content->resize(entry.uncompressed_length);
   int extract_err = ExtractToMemory(za, &entry, reinterpret_cast<uint8_t*>(&content->at(0)),
                                     entry.uncompressed_length);
-- 
cgit v1.2.3