Fix out of bound read in libziparchive

We should check the boundary of central directory before checking its signature. Swap the order of these two checks. Bug: 36392138 Test: libziparchive doesn't read the signature after boundary check fails. Merged-In: Ie89f709bb2d1ccb647116fb7ccb1e23c943e5ab8 Change-Id: Ie89f709bb2d1ccb647116fb7ccb1e23c943e5ab8 (cherry picked from commit 74464a1361)
2017-04-05 14:46:27 -07:00 · 2017-04-05 14:46:27 -07:00 · 0fda1cf633
parent 9e020e2d11
commit 0fda1cf633
1 changed files with 8 additions and 5 deletions
--- a/libziparchive/zip_archive.cc
+++ b/libziparchive/zip_archive.cc
@ -329,6 +329,14 @@ static int32_t ParseZipArchive(ZipArchive* archive) {
  const uint8_t* const cd_end = cd_ptr + cd_length;
  const uint8_t* ptr = cd_ptr;
  for (uint16_t i = 0; i < num_entries; i++) {
+    if (ptr > cd_end - sizeof(CentralDirectoryRecord)) {
+      ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
+#if defined(__ANDROID__)
+      android_errorWriteLog(0x534e4554, "36392138");
+#endif
+      return -1;
+    }
+
    const CentralDirectoryRecord* cdr =
        reinterpret_cast<const CentralDirectoryRecord*>(ptr);
    if (cdr->record_signature != CentralDirectoryRecord::kSignature) {
@ -336,11 +344,6 @@ static int32_t ParseZipArchive(ZipArchive* archive) {
      return -1;
    }

-    if (ptr + sizeof(CentralDirectoryRecord) > cd_end) {
-      ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
-      return -1;
-    }
-
    const off64_t local_header_offset = cdr->local_file_header_offset;
    if (local_header_offset >= archive->directory_offset) {
      ALOGW("Zip: bad LFH offset %" PRId64 " at entry %" PRIu16,