Merge "recovery: check battery level before installing package." am: 16d0a18514 am: d1b66ad6a1
am: 9ade9e6c41

* commit '9ade9e6c418aacfcab3e1ec487c8c5c327b7a007':
  recovery: check battery level before installing package.
diff --git a/minzip/SysUtil.c b/minzip/SysUtil.c
index 09ec876..de47edf 100644
--- a/minzip/SysUtil.c
+++ b/minzip/SysUtil.c
@@ -8,6 +8,7 @@
 #include <fcntl.h>
 #include <limits.h>
 #include <stdbool.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -39,6 +40,11 @@
     pMap->length = sb.st_size;
     pMap->range_count = 1;
     pMap->ranges = malloc(sizeof(MappedRange));
+    if (pMap->ranges == NULL) {
+        LOGE("malloc failed: %s\n", strerror(errno));
+        munmap(memPtr, sb.st_size);
+        return false;
+    }
     pMap->ranges[0].addr = memPtr;
     pMap->ranges[0].length = sb.st_size;
 
@@ -50,7 +56,7 @@
     char block_dev[PATH_MAX+1];
     size_t size;
     unsigned int blksize;
-    unsigned int blocks;
+    size_t blocks;
     unsigned int range_count;
     unsigned int i;
 
@@ -69,49 +75,80 @@
         LOGE("failed to parse block map header\n");
         return -1;
     }
-
-    blocks = ((size-1) / blksize) + 1;
+    if (blksize != 0) {
+        blocks = ((size-1) / blksize) + 1;
+    }
+    if (size == 0 || blksize == 0 || blocks > SIZE_MAX / blksize || range_count == 0) {
+        LOGE("invalid data in block map file: size %zu, blksize %u, range_count %u\n",
+             size, blksize, range_count);
+        return -1;
+    }
 
     pMap->range_count = range_count;
-    pMap->ranges = malloc(range_count * sizeof(MappedRange));
-    memset(pMap->ranges, 0, range_count * sizeof(MappedRange));
+    pMap->ranges = calloc(range_count, sizeof(MappedRange));
+    if (pMap->ranges == NULL) {
+        LOGE("calloc(%u, %zu) failed: %s\n", range_count, sizeof(MappedRange), strerror(errno));
+        return -1;
+    }
 
     // Reserve enough contiguous address space for the whole file.
     unsigned char* reserve;
     reserve = mmap64(NULL, blocks * blksize, PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0);
     if (reserve == MAP_FAILED) {
         LOGE("failed to reserve address space: %s\n", strerror(errno));
+        free(pMap->ranges);
         return -1;
     }
 
-    pMap->ranges[range_count-1].addr = reserve;
-    pMap->ranges[range_count-1].length = blocks * blksize;
-
     int fd = open(block_dev, O_RDONLY);
     if (fd < 0) {
         LOGE("failed to open block device %s: %s\n", block_dev, strerror(errno));
+        munmap(reserve, blocks * blksize);
+        free(pMap->ranges);
         return -1;
     }
 
     unsigned char* next = reserve;
+    size_t remaining_size = blocks * blksize;
+    bool success = true;
     for (i = 0; i < range_count; ++i) {
-        int start, end;
-        if (fscanf(mapf, "%d %d\n", &start, &end) != 2) {
+        size_t start, end;
+        if (fscanf(mapf, "%zu %zu\n", &start, &end) != 2) {
             LOGE("failed to parse range %d in block map\n", i);
-            return -1;
+            success = false;
+            break;
+        }
+        size_t length = (end - start) * blksize;
+        if (end <= start || ((end - start) > SIZE_MAX / blksize) || length > remaining_size) {
+            LOGE("unexpected range in block map: %zu %zu\n", start, end);
+            success = false;
+            break;
         }
 
-        void* addr = mmap64(next, (end-start)*blksize, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize);
+        void* addr = mmap64(next, length, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)(start*blksize)));
         if (addr == MAP_FAILED) {
             LOGE("failed to map block %d: %s\n", i, strerror(errno));
-            return -1;
+            success = false;
+            break;
         }
         pMap->ranges[i].addr = addr;
-        pMap->ranges[i].length = (end-start)*blksize;
+        pMap->ranges[i].length = length;
 
-        next += pMap->ranges[i].length;
+        next += length;
+        remaining_size -= length;
+    }
+    if (success && remaining_size != 0) {
+        LOGE("ranges in block map are invalid: remaining_size = %zu\n", remaining_size);
+        success = false;
+    }
+    if (!success) {
+        close(fd);
+        munmap(reserve, blocks * blksize);
+        free(pMap->ranges);
+        return -1;
     }
 
+    close(fd);
     pMap->addr = reserve;
     pMap->length = size;
 
@@ -134,6 +171,7 @@
 
         if (sysMapBlockFile(mapf, pMap) != 0) {
             LOGE("Map of '%s' failed\n", fn);
+            fclose(mapf);
             return -1;
         }
 
diff --git a/updater/updater.cpp b/updater/updater.cpp
index 0f22e6d..80e7503 100644
--- a/updater/updater.cpp
+++ b/updater/updater.cpp
@@ -19,6 +19,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <string>
+
 #include "edify/expr.h"
 #include "updater.h"
 #include "install.h"
@@ -89,12 +91,11 @@
         return 4;
     }
 
-    char* script = reinterpret_cast<char*>(malloc(script_entry->uncompLen+1));
-    if (!mzReadZipEntry(&za, script_entry, script, script_entry->uncompLen)) {
+    std::string script(script_entry->uncompLen, '\0');
+    if (!mzReadZipEntry(&za, script_entry, &script[0], script_entry->uncompLen)) {
         printf("failed to read script from package\n");
         return 5;
     }
-    script[script_entry->uncompLen] = '\0';
 
     // Configure edify's functions.
 
@@ -108,7 +109,7 @@
 
     Expr* root;
     int error_count = 0;
-    int error = parse_string(script, &root, &error_count);
+    int error = parse_string(script.c_str(), &root, &error_count);
     if (error != 0 || error_count > 0) {
         printf("%d parse errors\n", error_count);
         return 6;
@@ -135,7 +136,7 @@
 
     State state;
     state.cookie = &updater_info;
-    state.script = script;
+    state.script = &script[0];
     state.errmsg = NULL;
 
     char* result = Evaluate(&state, root);
@@ -163,7 +164,5 @@
         mzCloseZipArchive(updater_info.package_zip);
     }
     sysReleaseMap(&map);
-    free(script);
-
     return 0;
 }