commit | 3ca99f6cb8ffbe19c7ef5409f3dac18ea0c254bd | [log] [tgz] |
---|---|---|
author | Doug Zongker <dougz@google.com> | Fri May 16 14:58:32 2014 +0000 |
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | Fri May 16 14:58:33 2014 +0000 |
tree | b0e672cc873eba3b530132f139eb77e4b31661c6 | |
parent | d27aa76a6ff6436cfb8340bf3d04aba186cc4de1 [diff] | |
parent | 4aa12dd0decafb139239779ab38e6ffda23109ab [diff] |
Merge "fix vulnerability in bspatch"
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c index 2e80f81..1dc7ab1 100644 --- a/applypatch/bspatch.c +++ b/applypatch/bspatch.c
@@ -205,6 +205,11 @@ ctrl[1] = offtin(buf+8); ctrl[2] = offtin(buf+16); + if (ctrl[0] < 0 || ctrl[1] < 0) { + printf("corrupt patch (negative byte counts)\n"); + return 1; + } + // Sanity check if (newpos + ctrl[0] > *new_size) { printf("corrupt patch (new file overrun)\n");