diff options
author | Amin Hassani <ahassani@google.com> | 2019-05-13 11:47:57 -0700 |
---|---|---|
committer | Amin Hassani <ahassani@google.com> | 2019-06-14 11:42:22 -0700 |
commit | 6e40d9347586f0bc628295a0c581c95eeae0a234 (patch) | |
tree | ebe23d95183dfad42797b3d4ffea28ee8af07f92 | |
parent | 1a313bad729068bfd60f9f86c5769671bc652b53 (diff) | |
download | bsdiff-6e40d9347586f0bc628295a0c581c95eeae0a234.tar.gz |
bspatch_fuzzer: guard againts integer overflow with bad patch
oldpos is a signed integer and an invalid input can cause integer
overflow. This CL makes sure the interger overflow doesn't happen.
The error message was:
../../../../../../../tmp/portage/dev-util/bsdiff-9999/work/bsdiff-9999/platform2/bsdiff/bspatch.cc:366:12: runtime error: signed integer overflow: 251 + 9223372036854775807 cannot be represented in type 'long'
Bug: crbug.com/950591
Test: cros_fuzz --board=amd64-generic reproduce --fuzzer bspatch_fuzzer --testcase ~/trunk/clusterfuzz-testcase-bspatch_fuzzer-5689939906920448 --package bsdiff --build-type ubsan
Change-Id: If1253483bc073cfb08867b531121d835078544bb
-rw-r--r-- | bspatch.cc | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59: #include <fcntl.h> #include <inttypes.h> #include <stdio.h> +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> @@ -329,6 +330,8 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.diff_size; + if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size)) + return 2; oldpos += control_entry.diff_size; if (oldpos > static_cast<int64_t>(old_file_size)) { @@ -358,6 +361,9 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.extra_size; + if (control_entry.offset_increment > 0 && + oldpos > INT64_MAX - control_entry.offset_increment) + return 2; oldpos += control_entry.offset_increment; } |