• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/core


Commit MetaInfo

Revision1742a00bf40ea0d3d818b4c96d7557b25a711d4a (tree)
Zeit2018-02-13 12:33:04
AutorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

Merge remote-tracking branch 'lineage/cm-14.1' into cm-14.1-x86

Ändern Zusammenfassung

Diff

--- a/libnetutils/packet.c
+++ b/libnetutils/packet.c
@@ -219,6 +219,20 @@ int receive_packet(int s, struct dhcp_msg *msg)
219219 * to construct the pseudo header used in the checksum calculation.
220220 */
221221 dhcp_size = ntohs(packet.udp.len) - sizeof(packet.udp);
222+ /*
223+ * check validity of dhcp_size.
224+ * 1) cannot be negative or zero.
225+ * 2) src buffer contains enough bytes to copy
226+ * 3) cannot exceed destination buffer
227+ */
228+ if ((dhcp_size <= 0) ||
229+ ((int)(nread - sizeof(struct iphdr) - sizeof(struct udphdr)) < dhcp_size) ||
230+ ((int)sizeof(struct dhcp_msg) < dhcp_size)) {
231+#if VERBOSE
232+ ALOGD("Malformed Packet");
233+#endif
234+ return -1;
235+ }
222236 saddr = packet.ip.saddr;
223237 daddr = packet.ip.daddr;
224238 nread = ntohs(packet.ip.tot_len);
--- a/libutils/Unicode.cpp
+++ b/libutils/Unicode.cpp
@@ -17,6 +17,7 @@
1717 #include <log/log.h>
1818 #include <utils/Unicode.h>
1919
20+#include <limits.h>
2021 #include <stddef.h>
2122
2223 #if defined(_WIN32)
@@ -178,7 +179,15 @@ ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len)
178179 size_t ret = 0;
179180 const char32_t *end = src + src_len;
180181 while (src < end) {
181- ret += utf32_codepoint_utf8_length(*src++);
182+ size_t char_len = utf32_codepoint_utf8_length(*src++);
183+ if (SSIZE_MAX - char_len < ret) {
184+ // If this happens, we would overflow the ssize_t type when
185+ // returning from this function, so we cannot express how
186+ // long this string is in an ssize_t.
187+ android_errorWriteLog(0x534e4554, "37723026");
188+ return -1;
189+ }
190+ ret += char_len;
182191 }
183192 return ret;
184193 }
@@ -438,14 +447,23 @@ ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
438447 size_t ret = 0;
439448 const char16_t* const end = src + src_len;
440449 while (src < end) {
450+ size_t char_len;
441451 if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
442452 && (*(src + 1) & 0xFC00) == 0xDC00) {
443453 // surrogate pairs are always 4 bytes.
444- ret += 4;
454+ char_len = 4;
445455 src += 2;
446456 } else {
447- ret += utf32_codepoint_utf8_length((char32_t) *src++);
457+ char_len = utf32_codepoint_utf8_length((char32_t)*src++);
458+ }
459+ if (SSIZE_MAX - char_len < ret) {
460+ // If this happens, we would overflow the ssize_t type when
461+ // returning from this function, so we cannot express how
462+ // long this string is in an ssize_t.
463+ android_errorWriteLog(0x534e4554, "37723026");
464+ return -1;
448465 }
466+ ret += char_len;
449467 }
450468 return ret;
451469 }
--- a/libziparchive/zip_archive.cc
+++ b/libziparchive/zip_archive.cc
@@ -358,6 +358,8 @@ static int32_t MapCentralDirectory(int fd, const char* debug_file_name,
358358 return result;
359359 }
360360
361+static inline bool ReadAtOffset(int fd, uint8_t* buf, size_t len, off64_t off);
362+
361363 /*
362364 * Parses the Zip archive's Central Directory. Allocates and populates the
363365 * hash table.
@@ -436,6 +438,22 @@ static int32_t ParseZipArchive(ZipArchive* archive) {
436438 return -1;
437439 }
438440 }
441+
442+ uint32_t lfh_start_bytes;
443+ if (!ReadAtOffset(archive->fd, reinterpret_cast<uint8_t*>(&lfh_start_bytes),
444+ sizeof(uint32_t), 0)) {
445+ ALOGW("Zip: Unable to read header for entry at offset == 0.");
446+ return -1;
447+ }
448+
449+ if (lfh_start_bytes != LocalFileHeader::kSignature) {
450+ ALOGW("Zip: Entry at offset zero has invalid LFH signature %" PRIx32, lfh_start_bytes);
451+#if defined(__ANDROID__)
452+ android_errorWriteLog(0x534e4554, "64211847");
453+#endif
454+ return -1;
455+ }
456+
439457 ALOGV("+++ zip good scan %" PRIu16 " entries", num_entries);
440458
441459 return 0;
--- a/libziparchive/zip_archive_test.cc
+++ b/libziparchive/zip_archive_test.cc
@@ -603,6 +603,55 @@ TEST(ziparchive, StreamUncompressedBadCrc) {
603603 CloseArchive(handle);
604604 }
605605
606+// A zip file whose local file header at offset zero is corrupted.
607+//
608+// ---------------
609+// cat foo > a.txt
610+// zip a.zip a.txt
611+// cat a.zip | xxd -i
612+//
613+// Manual changes :
614+// [2] = 0xff // Corrupt the LFH signature of entry 0.
615+// [3] = 0xff // Corrupt the LFH signature of entry 0.
616+static const std::vector<uint8_t> kZipFileWithBrokenLfhSignature{
617+ //[lfh-sig-----------], [lfh contents---------------------------------
618+ 0x50, 0x4b, 0xff, 0xff, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x80,
619+ //--------------------------------------------------------------------
620+ 0x09, 0x4b, 0xa8, 0x65, 0x32, 0x7e, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
621+ //-------------------------------] [file-name-----------------], [---
622+ 0x00, 0x00, 0x05, 0x00, 0x1c, 0x00, 0x61, 0x2e, 0x74, 0x78, 0x74, 0x55,
623+ // entry-contents------------------------------------------------------
624+ 0x54, 0x09, 0x00, 0x03, 0x51, 0x24, 0x8b, 0x59, 0x51, 0x24, 0x8b, 0x59,
625+ //--------------------------------------------------------------------
626+ 0x75, 0x78, 0x0b, 0x00, 0x01, 0x04, 0x89, 0x42, 0x00, 0x00, 0x04, 0x88,
627+ //-------------------------------------], [cd-record-sig-------], [---
628+ 0x13, 0x00, 0x00, 0x66, 0x6f, 0x6f, 0x0a, 0x50, 0x4b, 0x01, 0x02, 0x1e,
629+ // cd-record-----------------------------------------------------------
630+ 0x03, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x80, 0x09, 0x4b, 0xa8,
631+ //--------------------------------------------------------------------
632+ 0x65, 0x32, 0x7e, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05,
633+ //--------------------------------------------------------------------
634+ 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa0,
635+ //-] [lfh-file-header-off-], [file-name-----------------], [extra----
636+ 0x81, 0x00, 0x00, 0x00, 0x00, 0x61, 0x2e, 0x74, 0x78, 0x74, 0x55, 0x54,
637+ //--------------------------------------------------------------------
638+ 0x05, 0x00, 0x03, 0x51, 0x24, 0x8b, 0x59, 0x75, 0x78, 0x0b, 0x00, 0x01,
639+ //-------------------------------------------------------], [eocd-sig-
640+ 0x04, 0x89, 0x42, 0x00, 0x00, 0x04, 0x88, 0x13, 0x00, 0x00, 0x50, 0x4b,
641+ //-------], [---------------------------------------------------------
642+ 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x4b, 0x00,
643+ //-------------------------------------------]
644+ 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x00, 0x00};
645+
646+TEST(ziparchive, BrokenLfhSignature) {
647+ TemporaryFile tmp_file;
648+ ASSERT_NE(-1, tmp_file.fd);
649+ ASSERT_TRUE(android::base::WriteFully(tmp_file.fd, &kZipFileWithBrokenLfhSignature[0],
650+ kZipFileWithBrokenLfhSignature.size()));
651+ ZipArchiveHandle handle;
652+ ASSERT_EQ(-1, OpenArchiveFd(tmp_file.fd, "LeadingNonZipBytes", &handle));
653+}
654+
606655 int main(int argc, char** argv) {
607656 ::testing::InitGoogleTest(&argc, argv);
608657