Google Git
Sign in
aiyprojects/android-core/refs/heads/nougat-mr1.1-release^!/.
commit
96d2e2856d353f5e602e07aec8d34212a380d900
[log]
author
Tianjie Xu <xunchang@google.com>
Wed Apr 05 14:46:27 2017 -0700
committer
gitbuildkicker <android-build@google.com>
Wed Apr 19 11:20:43 2017 -0700
tree
fb05e74e6a631650673667b12361ccfb0f2be29a
parent
cd77f5eb91a5e8798ddc5ae8a1424a386814d5a7 [diff]
Fix out of bound read in libziparchive

We should check the boundary of central directory before checking its
signature. Swap the order of these two checks.

Bug: 36392138
Test: libziparchive doesn't read the signature after boundary check fails.
Change-Id: Ie89f709bb2d1ccb647116fb7ccb1e23c943e5ab8
(cherry picked from commit 74464a1361562d4042a67c5d66bfcf396ee7e59c)
(cherry picked from commit d9fd1863f46d5185eaaebc0803ee9c5da3ef110b)

diff --git a/libziparchive/zip_archive.cc b/libziparchive/zip_archive.cc
index 986ee72..49097ce 100644
--- a/libziparchive/zip_archive.cc
+++ b/libziparchive/zip_archive.cc

@@ -386,6 +386,14 @@
   const uint8_t* const cd_end = cd_ptr + cd_length;
   const uint8_t* ptr = cd_ptr;
   for (uint16_t i = 0; i < num_entries; i++) {
+    if (ptr > cd_end - sizeof(CentralDirectoryRecord)) {
+      ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
+#if defined(__ANDROID__)
+      android_errorWriteLog(0x534e4554, "36392138");
+#endif
+      return -1;
+    }
+
     const CentralDirectoryRecord* cdr =
         reinterpret_cast<const CentralDirectoryRecord*>(ptr);
     if (cdr->record_signature != CentralDirectoryRecord::kSignature) {
@@ -393,11 +401,6 @@
       return -1;
     }
 
-    if (ptr + sizeof(CentralDirectoryRecord) > cd_end) {
-      ALOGW("Zip: ran off the end (at %" PRIu16 ")", i);
-      return -1;
-    }
-
     const off64_t local_header_offset = cdr->local_file_header_offset;
     if (local_header_offset >= archive->directory_offset) {
       ALOGW("Zip: bad LFH offset %" PRId64 " at entry %" PRIu16,