diff options
author | Amin Hassani <ahassani@google.com> | 2019-06-18 12:02:48 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-06-18 12:02:48 -0700 |
commit | ea33dbd6161bc966e9c474a3c06dbe1f916b7167 (patch) | |
tree | ebe23d95183dfad42797b3d4ffea28ee8af07f92 | |
parent | 1a313bad729068bfd60f9f86c5769671bc652b53 (diff) | |
parent | 10118144d0b8a90496db9f97d55bf607db2c8c8b (diff) | |
download | bsdiff-ea33dbd6161bc966e9c474a3c06dbe1f916b7167.tar.gz |
Merge "bspatch_fuzzer: guard againts integer overflow with bad patch"
am: 10118144d0
Change-Id: I9d4f5f5e5de007efe56a4fea927989dcc6bea490
-rw-r--r-- | bspatch.cc | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59: #include <fcntl.h> #include <inttypes.h> #include <stdio.h> +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> @@ -329,6 +330,8 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.diff_size; + if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size)) + return 2; oldpos += control_entry.diff_size; if (oldpos > static_cast<int64_t>(old_file_size)) { @@ -358,6 +361,9 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.extra_size; + if (control_entry.offset_increment > 0 && + oldpos > INT64_MAX - control_entry.offset_increment) + return 2; oldpos += control_entry.offset_increment; } |