diff options
| author | Kelvin Zhang <zhangkelvin@google.com> | 2020-09-17 11:32:29 -0400 |
|---|---|---|
| committer | Kelvin Zhang <zhangkelvin@google.com> | 2020-09-18 17:41:51 -0400 |
| commit | d1ba38f7c96e74901779089fea6d09b0c7c2521d (patch) | |
| tree | f892e9ca467b4f751345a2a3200caf8903a217c9 /install | |
| parent | a35202befd6460a30330d57e7e69564bc6fb29f9 (diff) | |
Check for overflow before allocating memory fore decompression.
On 32bit devices, an ZipEntry64 may have size > 2^32, we should check
for such cases before attempting to allocate memory.
Test: mm -j
Change-Id: I0f916ef4b2a692f167719a74bd6ff2e887c6c2ce
Diffstat (limited to 'install')
| -rw-r--r-- | install/install.cpp | 8 | ||||
| -rw-r--r-- | install/verifier.cpp | 6 | ||||
| -rw-r--r-- | install/wipe_device.cpp | 7 |
3 files changed, 19 insertions, 2 deletions
diff --git a/install/install.cpp b/install/install.cpp index 75337320..1b220cb3 100644 --- a/install/install.cpp +++ b/install/install.cpp @@ -246,7 +246,13 @@ bool SetUpAbUpdateCommands(const std::string& package, ZipArchiveHandle zip, int LOG(ERROR) << "Failed to find " << AB_OTA_PAYLOAD_PROPERTIES; return false; } - uint32_t properties_entry_length = properties_entry.uncompressed_length; + auto properties_entry_length = properties_entry.uncompressed_length; + if (properties_entry_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << AB_OTA_PAYLOAD_PROPERTIES + << " because's uncompressed size exceeds size of address space. " + << properties_entry_length; + return false; + } std::vector<uint8_t> payload_properties(properties_entry_length); int32_t err = ExtractToMemory(zip, &properties_entry, payload_properties.data(), properties_entry_length); diff --git a/install/verifier.cpp b/install/verifier.cpp index d8bc53f6..3f026013 100644 --- a/install/verifier.cpp +++ b/install/verifier.cpp @@ -323,6 +323,12 @@ static std::vector<Certificate> IterateZipEntriesAndSearchForKeys(const ZipArchi std::string_view name; ZipEntry64 entry; while ((iter_status = Next(cookie, &entry, &name)) == 0) { + if (entry.uncompressed_length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << name + << " because's uncompressed size exceeds size of address space. " + << entry.uncompressed_length; + return {}; + } std::vector<uint8_t> pem_content(entry.uncompressed_length); if (int32_t extract_status = ExtractToMemory(handle, &entry, pem_content.data(), pem_content.size()); diff --git a/install/wipe_device.cpp b/install/wipe_device.cpp index 0f896c43..915c87b4 100644 --- a/install/wipe_device.cpp +++ b/install/wipe_device.cpp @@ -51,7 +51,12 @@ std::vector<std::string> GetWipePartitionList(Package* wipe_package) { std::string partition_list_content; ZipEntry64 entry; if (FindEntry(zip, RECOVERY_WIPE_ENTRY_NAME, &entry) == 0) { - uint32_t length = entry.uncompressed_length; + auto length = entry.uncompressed_length; + if (length > std::numeric_limits<size_t>::max()) { + LOG(ERROR) << "Failed to extract " << RECOVERY_WIPE_ENTRY_NAME + << " because's uncompressed size exceeds size of address space. " << length; + return {}; + } partition_list_content = std::string(length, '\0'); if (auto err = ExtractToMemory( zip, &entry, reinterpret_cast<uint8_t*>(partition_list_content.data()), length); |