Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d9fd1863 authored by Tianjie Xu's avatar Tianjie Xu
Browse files

Fix out of bound read in libziparchive 

We should check the boundary of central directory before checking its
signature. Swap the order of these two checks.

Bug: 36392138
Test: libziparchive doesn't read the signature after boundary check fails.
Change-Id: Ie89f709bb2d1ccb647116fb7ccb1e23c943e5ab8
(cherry picked from commit 74464a13)
parent 50dcfdf4

libziparchive/zip_archive.cc

+8 −5
Original line number Diff line number Diff line
@@ -580,6 +580,14 @@ static int32_t ParseZipArchive(ZipArchive* archive) { 
  const uint8_t* const cd_end = cd_ptr + cd_length;

  const uint8_t* ptr = cd_ptr;

  for (uint16_t i = 0; i < num_entries; i++) {

    if (ptr > cd_end - sizeof(CentralDirectoryRecord)) {

      ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);

#if defined(__ANDROID__)

      android_errorWriteLog(0x534e4554, "36392138");

#endif

      return -1;

    }



    const CentralDirectoryRecord* cdr =

        reinterpret_cast<const CentralDirectoryRecord*>(ptr);

    if (cdr->record_signature != CentralDirectoryRecord::kSignature) {
@@ -587,11 +595,6 @@ static int32_t ParseZipArchive(ZipArchive* archive) { 
      return -1;

    }



    if (ptr + sizeof(CentralDirectoryRecord) > cd_end) {

      ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);

      return -1;

    }



    const off64_t local_header_offset = cdr->local_file_header_offset;

    if (local_header_offset >= archive->directory_offset) {

      ALOGW("Zip: bad LFH offset %" PRId64 " at entry %" PRIu16,