Add a checker for signature boundary in verifier
The 'signature_start' variable marks the location of the signature
from the end of a zip archive. And a boundary check is missing where
'signature_start' should be within the EOCD comment field. This causes
problems when sideloading a malicious package. Also add a corresponding
test.
Bug: 31914369
Test: Verification fails correctly when sideloading recovery_test.zip on
angler.
Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1
(cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0)
diff --git a/verifier.cpp b/verifier.cpp
index eeff95a..3d4f603 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -143,6 +143,12 @@
LOGI("comment is %zu bytes; signature %zu bytes from end\n",
comment_size, signature_start);
+ if (signature_start > comment_size) {
+ LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
+ comment_size);
+ return VERIFY_FAILURE;
+ }
+
if (signature_start <= FOOTER_SIZE) {
LOGE("Signature start is in the footer");
return VERIFY_FAILURE;