diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2019-06-18 18:25:26 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2019-06-18 18:25:26 +0000 |
| commit | 10118144d0b8a90496db9f97d55bf607db2c8c8b (patch) | |
| tree | ebe23d95183dfad42797b3d4ffea28ee8af07f92 | |
| parent | 1a313bad729068bfd60f9f86c5769671bc652b53 (diff) | |
| parent | 6e40d9347586f0bc628295a0c581c95eeae0a234 (diff) | |
| download | bsdiff-10118144d0b8a90496db9f97d55bf607db2c8c8b.tar.gz | |
Merge "bspatch_fuzzer: guard againts integer overflow with bad patch"android-o-mr1-iot-release-1.0.14
| -rw-r--r-- | bspatch.cc | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59: #include <fcntl.h> #include <inttypes.h> #include <stdio.h> +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> @@ -329,6 +330,8 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.diff_size; + if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size)) + return 2; oldpos += control_entry.diff_size; if (oldpos > static_cast<int64_t>(old_file_size)) { @@ -358,6 +361,9 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.extra_size; + if (control_entry.offset_increment > 0 && + oldpos > INT64_MAX - control_entry.offset_increment) + return 2; oldpos += control_entry.offset_increment; } |