DO NOT MERGE: Add a checker for signature boundary in verifier The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1 (cherry-picked from f69e6a9475983b2ad46729e44ab58d2b22cd74d0) (cherry picked from commit 54ea136fded56810bf475885eb4bd7bf1b11f09c)

commit: f616da172602c0098af3e14e64c9b0a797159a2d [log] [tgz]
author: Tianjie Xu <xunchang@google.com> Fri Dec 16 16:24:09 2016 -0800
committer: Tianjie Xu <xunchang@google.com> Mon Dec 19 16:46:44 2016 -0800
tree: 0ab7ad0af3eb148ba4cb49500de9baf3f34e1b11
parent: 839b4e592a7c81bdebe08fae4eef6e909c89acd6 [diff]
diff --git a/verifier.cpp b/verifier.cpp
index 782a838..23fab07 100644
--- a/verifier.cpp
+++ b/verifier.cpp

@@ -79,6 +79,13 @@
     LOGI("comment is %d bytes; signature %d bytes from end\n",
          comment_size, signature_start);
 
+    if (signature_start > comment_size) {
+        LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
+             comment_size);
+        fclose(f);
+        return VERIFY_FAILURE;
+    }
+
     if (signature_start - FOOTER_SIZE < RSANUMBYTES) {
         // "signature" block isn't big enough to contain an RSA block.
         LOGE("signature is too short\n");
commit	f616da172602c0098af3e14e64c9b0a797159a2d	[log] [tgz]
author	Tianjie Xu <xunchang@google.com>	Fri Dec 16 16:24:09 2016 -0800
committer	Tianjie Xu <xunchang@google.com>	Mon Dec 19 16:46:44 2016 -0800
tree	0ab7ad0af3eb148ba4cb49500de9baf3f34e1b11
parent	839b4e592a7c81bdebe08fae4eef6e909c89acd6 [diff]