Add a checker for signature boundary in verifier The 'signature_start' variable marks the location of the signature from the end of a zip archive. And a boundary check is missing where 'signature_start' should be within the EOCD comment field. This causes problems when sideloading a malicious package. Also add a corresponding test. Bug: 31914369 Test: Verification fails correctly when sideloading recovery_test.zip on angler. Change-Id: I6ea96bf04dac5d8d4d6719e678d504f957b4d5c1

commit: f69e6a9475983b2ad46729e44ab58d2b22cd74d0 [log] [tgz]
author: Tianjie Xu <xunchang@google.com> Fri Dec 16 14:27:55 2016 -0800
committer: Tianjie Xu <xunchang@google.com> Fri Dec 16 16:01:42 2016 -0800
tree: e67d6d8b861198b42f3e46c71702630b6116042b
parent: cc1ecf792f53fa6e9a7189506542bd428aa31a41 [diff] [blame]
diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp
index 33aadb3..8d8b461 100644
--- a/tests/component/verifier_test.cpp
+++ b/tests/component/verifier_test.cpp

@@ -155,4 +155,5 @@
             std::vector<std::string>({"random.zip", "v1"}),
             std::vector<std::string>({"fake-eocd.zip", "v1"}),
             std::vector<std::string>({"alter-metadata.zip", "v1"}),
-            std::vector<std::string>({"alter-footer.zip", "v1"})));
+            std::vector<std::string>({"alter-footer.zip", "v1"}),
+            std::vector<std::string>({"signature-boundary.zip", "v1"})));
commit	f69e6a9475983b2ad46729e44ab58d2b22cd74d0	[log] [tgz]
author	Tianjie Xu <xunchang@google.com>	Fri Dec 16 14:27:55 2016 -0800
committer	Tianjie Xu <xunchang@google.com>	Fri Dec 16 16:01:42 2016 -0800
tree	e67d6d8b861198b42f3e46c71702630b6116042b
parent	cc1ecf792f53fa6e9a7189506542bd428aa31a41 [diff] [blame]