fix vulnerability in bspatch Patches with control data tuples with negative numbers in the first and/or second can cause bspatch to write to arbitrary locations in the heap. Change-Id: I8c5d81948be773e6483241131d3d166b6da27cb8

commit: 4aa12dd0decafb139239779ab38e6ffda23109ab [log] [tgz]
author: Doug Zongker <dougz@google.com> Tue May 13 08:40:49 2014 -0700
committer: Doug Zongker <dougz@google.com> Tue May 13 08:40:49 2014 -0700
tree: 53ae20bf4f591492bc8eae4df55223434052ad8d
parent: 1c2cf1db0db2c9e9310d27bdc19c605f5537b72f [diff] [blame]
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c
index 2e80f81..1dc7ab1 100644
--- a/applypatch/bspatch.c
+++ b/applypatch/bspatch.c

@@ -205,6 +205,11 @@
         ctrl[1] = offtin(buf+8);
         ctrl[2] = offtin(buf+16);
 
+        if (ctrl[0] < 0 || ctrl[1] < 0) {
+            printf("corrupt patch (negative byte counts)\n");
+            return 1;
+        }
+
         // Sanity check
         if (newpos + ctrl[0] > *new_size) {
             printf("corrupt patch (new file overrun)\n");
commit	4aa12dd0decafb139239779ab38e6ffda23109ab	[log] [tgz]
author	Doug Zongker <dougz@google.com>	Tue May 13 08:40:49 2014 -0700
committer	Doug Zongker <dougz@google.com>	Tue May 13 08:40:49 2014 -0700
tree	53ae20bf4f591492bc8eae4df55223434052ad8d
parent	1c2cf1db0db2c9e9310d27bdc19c605f5537b72f [diff] [blame]