Permalink
Browse files

Fix out of bound read in libziparchive

We should check the boundary of central directory before checking its
signature. Swap the order of these two checks.

Bug: 36392138
Test: libziparchive doesn't read the signature after boundary check fails.
Change-Id: Ie89f709bb2d1ccb647116fb7ccb1e23c943e5ab8
(cherry picked from commit 74464a1)
(cherry picked from commit d9fd186)
  • Loading branch information...
Tianjie Xu gitbuildkicker
Tianjie Xu authored and gitbuildkicker committed Apr 5, 2017
1 parent 658fbc1 commit 3d6a43155c702bce0e7e2a93a67247b5ce3946a5
Showing with 8 additions and 5 deletions.
  1. +8 −5 libziparchive/zip_archive.cc
@@ -386,18 +386,21 @@ static int32_t ParseZipArchive(ZipArchive* archive) {
const uint8_t* const cd_end = cd_ptr + cd_length;
const uint8_t* ptr = cd_ptr;
for (uint16_t i = 0; i < num_entries; i++) {
if (ptr > cd_end - sizeof(CentralDirectoryRecord)) {
ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
#if defined(__ANDROID__)
android_errorWriteLog(0x534e4554, "36392138");
#endif
return -1;
}
const CentralDirectoryRecord* cdr =
reinterpret_cast<const CentralDirectoryRecord*>(ptr);
if (cdr->record_signature != CentralDirectoryRecord::kSignature) {
ALOGW("Zip: missed a central dir sig (at %" PRIu16 ")", i);
return -1;
}
if (ptr + sizeof(CentralDirectoryRecord) > cd_end) {
ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
return -1;
}
const off64_t local_header_offset = cdr->local_file_header_offset;
if (local_header_offset >= archive->directory_offset) {
ALOGW("Zip: bad LFH offset %" PRId64 " at entry %" PRIu16,

0 comments on commit 3d6a431

Please sign in to comment.