diff options
author | Tianjie Xu <xunchang@google.com> | 2016-09-21 14:58:11 -0700 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2016-10-27 15:19:35 -0700 |
commit | e92c5a9ff47b8f26db49c8e914e9b420eccc2a2d (patch) | |
tree | 34c27432788cf5407fbb727371b6a8f360ab059c | |
parent | 0849cb6f1a9981c584861fe7f697d9b85fd1563d (diff) | |
download | core-e92c5a9ff47b8f26db49c8e914e9b420eccc2a2d.tar.gz |
Fix out of bound access in libziparchiveandroid-7.0.0_r27android-7.0.0_r24
The boundary check of an invalid EOCD record may succeed due to the
overflow of uint32_t. Fix the check.
Test: Open the crash.apk and libziparchive reports the offset error as expected.
Bug: 31251826
Change-Id: I1d8092a19b73886a671bc9d291cfc27d65e3d236
(cherry picked from commit ae8180c06dee228cd1378c56afa6020ae98d8a24)
(cherry picked from commit 1ee4892e66ba314131b7ecf17e98bb1762c4b84c)
-rw-r--r-- | libziparchive/zip_archive.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libziparchive/zip_archive.cc b/libziparchive/zip_archive.cc index 1f2750047..986ee7208 100644 --- a/libziparchive/zip_archive.cc +++ b/libziparchive/zip_archive.cc @@ -269,9 +269,14 @@ static int32_t MapCentralDirectory0(int fd, const char* debug_file_name, * Grab the CD offset and size, and the number of entries in the * archive and verify that they look reasonable. */ - if (eocd->cd_start_offset + eocd->cd_size > eocd_offset) { + if (static_cast<off64_t>(eocd->cd_start_offset) + eocd->cd_size > eocd_offset) { ALOGW("Zip: bad offsets (dir %" PRIu32 ", size %" PRIu32 ", eocd %" PRId64 ")", eocd->cd_start_offset, eocd->cd_size, static_cast<int64_t>(eocd_offset)); +#if defined(__ANDROID__) + if (eocd->cd_start_offset + eocd->cd_size <= eocd_offset) { + android_errorWriteLog(0x534e4554, "31251826"); + } +#endif return kInvalidOffset; } if (eocd->num_records == 0) { |