am c4804e9b: am d4592694: am 3ca99f6c: Merge "fix vulnerability in bspatch"

* commit 'c4804e9b9c143652d17441b4b672b920b11cc94a': fix vulnerability in bspatch
author: Doug Zongker <dougz@google.com> 2014-05-16 15:09:35 +0000
committer: Android Git Automerger <android-git-automerger@android.com> 2014-05-16 15:09:35 +0000
commit: ddb1b744983e37b51fc20759bbf8dac31f4d30ad (patch)
tree: 02e2420d49536bf886ea14256bd087ada49592e4 /applypatch
parent: eed64836386a64cc945e7e9a01a96ed0d6fa57af (diff)
parent: c4804e9b9c143652d17441b4b672b920b11cc94a (diff)
download: bootable_recovery-ddb1b744983e37b51fc20759bbf8dac31f4d30ad.zip
bootable_recovery-ddb1b744983e37b51fc20759bbf8dac31f4d30ad.tar.gz
bootable_recovery-ddb1b744983e37b51fc20759bbf8dac31f4d30ad.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/applypatch/bspatch.c b/applypatch/bspatch.c
index 2e80f81..1dc7ab1 100644
--- a/applypatch/bspatch.c
+++ b/applypatch/bspatch.c
@@ -205,6 +205,11 @@ int ApplyBSDiffPatchMem(const unsigned char* old_data, ssize_t old_size,
         ctrl[1] = offtin(buf+8);
         ctrl[2] = offtin(buf+16);
 
+        if (ctrl[0] < 0 || ctrl[1] < 0) {
+            printf("corrupt patch (negative byte counts)\n");
+            return 1;
+        }
+
         // Sanity check
         if (newpos + ctrl[0] > *new_size) {
             printf("corrupt patch (new file overrun)\n");
author	Doug Zongker <dougz@google.com>	2014-05-16 15:09:35 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	2014-05-16 15:09:35 +0000
commit	ddb1b744983e37b51fc20759bbf8dac31f4d30ad (patch)
tree	02e2420d49536bf886ea14256bd087ada49592e4 /applypatch
parent	eed64836386a64cc945e7e9a01a96ed0d6fa57af (diff)
parent	c4804e9b9c143652d17441b4b672b920b11cc94a (diff)
download	bootable_recovery-ddb1b744983e37b51fc20759bbf8dac31f4d30ad.zip bootable_recovery-ddb1b744983e37b51fc20759bbf8dac31f4d30ad.tar.gz bootable_recovery-ddb1b744983e37b51fc20759bbf8dac31f4d30ad.tar.bz2