fix vulnerability in bspatch

Patches with control data tuples with negative numbers in the first and/or second can cause bspatch to write to arbitrary locations in the heap. Change-Id: Ibfccf222dbc24328ce7593476da36212d9052e12
author: Doug Zongker <dougz@google.com> 2014-05-13 08:37:06 -0700
committer: Doug Zongker <dougz@google.com> 2014-05-13 08:45:54 -0700
commit: 4d054795b673855e3a7556c6f2f7ab99ca509998 (patch)
tree: f344a7dd6e208c628556110ee51bcb6901e500c0
parent: 23e322ab19fb7d74c2c37e40ce364d9f709bdcee (diff)
download: bsdiff-4d054795b673855e3a7556c6f2f7ab99ca509998.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/bspatch.c b/bspatch.c
index 3ef698f..61de4d5 100644
--- a/bspatch.c
+++ b/bspatch.c
@@ -152,6 +152,11 @@ int main(int argc,char * argv[])
 			ctrl[i]=offtin(buf);
 		};
 
+		// android local change (start)
+		if (ctrl[0]<0||ctrl[1]<0)
+			errx(1,"Corrupt patch\n");
+		// android local change (end)
+
 		/* Sanity-check */
 		if(newpos+ctrl[0]>newsize)
 			errx(1,"Corrupt patch\n");
author	Doug Zongker <dougz@google.com>	2014-05-13 08:37:06 -0700
committer	Doug Zongker <dougz@google.com>	2014-05-13 08:45:54 -0700
commit	4d054795b673855e3a7556c6f2f7ab99ca509998 (patch)
tree	f344a7dd6e208c628556110ee51bcb6901e500c0
parent	23e322ab19fb7d74c2c37e40ce364d9f709bdcee (diff)
download	bsdiff-4d054795b673855e3a7556c6f2f7ab99ca509998.tar.gz