diff options
author | Doug Zongker <dougz@google.com> | 2014-05-13 08:37:06 -0700 |
---|---|---|
committer | Doug Zongker <dougz@google.com> | 2014-05-13 08:45:54 -0700 |
commit | 4d054795b673855e3a7556c6f2f7ab99ca509998 (patch) | |
tree | f344a7dd6e208c628556110ee51bcb6901e500c0 | |
parent | 23e322ab19fb7d74c2c37e40ce364d9f709bdcee (diff) | |
download | bsdiff-4d054795b673855e3a7556c6f2f7ab99ca509998.tar.gz |
fix vulnerability in bspatch
Patches with control data tuples with negative numbers in the first
and/or second can cause bspatch to write to arbitrary locations in the
heap.
Change-Id: Ibfccf222dbc24328ce7593476da36212d9052e12
-rw-r--r-- | bspatch.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -152,6 +152,11 @@ int main(int argc,char * argv[]) ctrl[i]=offtin(buf); }; + // android local change (start) + if (ctrl[0]<0||ctrl[1]<0) + errx(1,"Corrupt patch\n"); + // android local change (end) + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n"); |