summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAmin Hassani <ahassani@google.com>2019-05-13 11:47:57 -0700
committerAmin Hassani <ahassani@google.com>2019-06-14 11:42:22 -0700
commit6e40d9347586f0bc628295a0c581c95eeae0a234 (patch)
treeebe23d95183dfad42797b3d4ffea28ee8af07f92
parent1a313bad729068bfd60f9f86c5769671bc652b53 (diff)
downloadbsdiff-6e40d9347586f0bc628295a0c581c95eeae0a234.tar.gz
bspatch_fuzzer: guard againts integer overflow with bad patch
oldpos is a signed integer and an invalid input can cause integer overflow. This CL makes sure the interger overflow doesn't happen. The error message was: ../../../../../../../tmp/portage/dev-util/bsdiff-9999/work/bsdiff-9999/platform2/bsdiff/bspatch.cc:366:12: runtime error: signed integer overflow: 251 + 9223372036854775807 cannot be represented in type 'long' Bug: crbug.com/950591 Test: cros_fuzz --board=amd64-generic reproduce --fuzzer bspatch_fuzzer --testcase ~/trunk/clusterfuzz-testcase-bspatch_fuzzer-5689939906920448 --package bsdiff --build-type ubsan Change-Id: If1253483bc073cfb08867b531121d835078544bb
-rw-r--r--bspatch.cc6
1 files changed, 6 insertions, 0 deletions
diff --git a/bspatch.cc b/bspatch.cc
index d552dcf..d7f1710 100644
--- a/bspatch.cc
+++ b/bspatch.cc
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59:
#include <fcntl.h>
#include <inttypes.h>
#include <stdio.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
@@ -329,6 +330,8 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file,
// Adjust pointers.
newpos += control_entry.diff_size;
+ if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size))
+ return 2;
oldpos += control_entry.diff_size;
if (oldpos > static_cast<int64_t>(old_file_size)) {
@@ -358,6 +361,9 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file,
// Adjust pointers.
newpos += control_entry.extra_size;
+ if (control_entry.offset_increment > 0 &&
+ oldpos > INT64_MAX - control_entry.offset_increment)
+ return 2;
oldpos += control_entry.offset_increment;
}