diff options
author | Amin Hassani <ahassani@google.com> | 2019-06-18 12:14:45 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-06-18 12:14:45 -0700 |
commit | 797bbc31202358cba772bfe146e63f6b088f450f (patch) | |
tree | ebe23d95183dfad42797b3d4ffea28ee8af07f92 | |
parent | 79d0acf62e249d4d3b38cd41e5b47bdee336145a (diff) | |
parent | ea33dbd6161bc966e9c474a3c06dbe1f916b7167 (diff) | |
download | bsdiff-797bbc31202358cba772bfe146e63f6b088f450f.tar.gz |
Merge "bspatch_fuzzer: guard againts integer overflow with bad patch" am: 10118144d0
am: ea33dbd616
Change-Id: I286687f2302f029af98486a1f83a168a4c13f246
-rw-r--r-- | bspatch.cc | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/bspatch/bspatch.c,v 1.1 2005/08/06 01:59: #include <fcntl.h> #include <inttypes.h> #include <stdio.h> +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> @@ -329,6 +330,8 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.diff_size; + if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size)) + return 2; oldpos += control_entry.diff_size; if (oldpos > static_cast<int64_t>(old_file_size)) { @@ -358,6 +361,9 @@ int bspatch(const std::unique_ptr<FileInterface>& old_file, // Adjust pointers. newpos += control_entry.extra_size; + if (control_entry.offset_increment > 0 && + oldpos > INT64_MAX - control_entry.offset_increment) + return 2; oldpos += control_entry.offset_increment; } |