Do Not Merge: Fix out of bound read in libziparchive
We should check the boundary of central directory before checking its
signature. Swap the order of these two checks.
Bug: 36392138
Test: libziparchive doesn't read the signature after boundary check fails.
Change-Id: Ie89f709bb2d1ccb647116fb7ccb1e23c943e5ab8
(cherry picked from commit 74464a1361
)
This commit is contained in:
parent
8027acd140
commit
6fdfd58fe1
|
@ -622,6 +622,14 @@ static int32_t ParseZipArchive(ZipArchive* archive) {
|
|||
const uint8_t* const cd_end = cd_ptr + cd_length;
|
||||
const uint8_t* ptr = cd_ptr;
|
||||
for (uint16_t i = 0; i < num_entries; i++) {
|
||||
if (ptr > cd_end - sizeof(CentralDirectoryRecord)) {
|
||||
ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
|
||||
#if defined(__ANDROID__)
|
||||
android_errorWriteLog(0x534e4554, "36392138");
|
||||
#endif
|
||||
goto bail;
|
||||
}
|
||||
|
||||
const CentralDirectoryRecord* cdr =
|
||||
reinterpret_cast<const CentralDirectoryRecord*>(ptr);
|
||||
if (cdr->record_signature != CentralDirectoryRecord::kSignature) {
|
||||
|
@ -629,11 +637,6 @@ static int32_t ParseZipArchive(ZipArchive* archive) {
|
|||
goto bail;
|
||||
}
|
||||
|
||||
if (ptr + sizeof(CentralDirectoryRecord) > cd_end) {
|
||||
ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
|
||||
goto bail;
|
||||
}
|
||||
|
||||
const off64_t local_header_offset = cdr->local_file_header_offset;
|
||||
if (local_header_offset >= archive->directory_offset) {
|
||||
ALOGW("Zip: bad LFH offset %" PRId64 " at entry %" PRIu16, (int64_t)local_header_offset, i);
|
||||
|
|
Loading…
Reference in New Issue