Chromium Code Reviews Chromium Code Reviews
Issue 2182873003:
Add bounds check for negative ctrlsrc->z. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /*- | 1 /*- |
| 2 * Copyright 2003,2004 Colin Percival | 2 * Copyright 2003,2004 Colin Percival |
| 3 * All rights reserved | 3 * All rights reserved |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted providing that the following conditions | 6 * modification, are permitted providing that the following conditions |
| 7 * are met: | 7 * are met: |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 22 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | 22 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING |
| 23 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | 23 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| 24 * POSSIBILITY OF SUCH DAMAGE. | 24 * POSSIBILITY OF SUCH DAMAGE. |
| 25 * | 25 * |
| 26 * Changelog: | 26 * Changelog: |
| 27 * 2005-04-26 - Define the header as a C structure, add a CRC32 checksum to | 27 * 2005-04-26 - Define the header as a C structure, add a CRC32 checksum to |
| 28 * the header, and make all the types 32-bit. | 28 * the header, and make all the types 32-bit. |
| 29 * --Benjamin Smedberg <benjamin@smedbergs.us> | 29 * --Benjamin Smedberg <benjamin@smedbergs.us> |
| 30 * 2007-11-14 - Added CalculateCrc() and ApplyBinaryPatch() methods. | 30 * 2007-11-14 - Added CalculateCrc() and ApplyBinaryPatch() methods. |
| 31 * --Rahul Kuchhal | 31 * --Rahul Kuchhal |
| 32 */ | 32 */ |
|
huangs
2016/07/27 22:39:16
Update ChangeLog?
rickyz (no longer on Chrome)
2016/07/27 22:50:26
Done.
| |
| 33 | 33 |
| 34 #include "mbspatch.h" | 34 #include "mbspatch.h" |
| 35 | 35 |
| 36 #include <sys/stat.h> | 36 #include <sys/stat.h> |
| 37 #include <sys/types.h> | |
| 37 #include <stdlib.h> | 38 #include <stdlib.h> |
| 38 #include <stdio.h> | 39 #include <stdio.h> |
| 39 #include <fcntl.h> | 40 #include <fcntl.h> |
| 40 #include <string.h> | 41 #include <string.h> |
| 41 #include <limits.h> | 42 #include <limits.h> |
| 42 | 43 |
| 43 #ifdef _WIN32 | 44 #ifdef _WIN32 |
| 44 # include <io.h> | 45 # include <io.h> |
| 45 # include <winsock2.h> | 46 # include <winsock2.h> |
| 46 #else | 47 #else |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 65 | 66 |
| 66 header->slen = ntohl(header->slen); | 67 header->slen = ntohl(header->slen); |
| 67 header->scrc32 = ntohl(header->scrc32); | 68 header->scrc32 = ntohl(header->scrc32); |
| 68 header->dlen = ntohl(header->dlen); | 69 header->dlen = ntohl(header->dlen); |
| 69 header->cblen = ntohl(header->cblen); | 70 header->cblen = ntohl(header->cblen); |
| 70 header->difflen = ntohl(header->difflen); | 71 header->difflen = ntohl(header->difflen); |
| 71 header->extralen = ntohl(header->extralen); | 72 header->extralen = ntohl(header->extralen); |
| 72 | 73 |
| 73 struct stat hs; | 74 struct stat hs; |
| 74 s = fstat(fd, &hs); | 75 s = fstat(fd, &hs); |
| 75 if (s) | 76 if (s != 0) |
| 76 return READ_ERROR; | 77 return READ_ERROR; |
| 77 | 78 |
| 78 if (memcmp(header->tag, "MBDIFF10", 8) != 0) | 79 if (memcmp(header->tag, "MBDIFF10", 8) != 0) |
| 79 return UNEXPECTED_ERROR; | 80 return UNEXPECTED_ERROR; |
| 80 | 81 |
| 81 if (sizeof(MBSPatchHeader) + | 82 if (hs.st_size > INT_MAX) |
| 82 header->cblen + | 83 return UNEXPECTED_ERROR; |
| 83 header->difflen + | 84 |
| 84 header->extralen != int(hs.st_size)) | 85 size_t size = static_cast<size_t>(hs.st_size); |
| 86 if (size < sizeof(MBSPatchHeader)) | |
| 87 return UNEXPECTED_ERROR; | |
| 88 size -= sizeof(MBSPatchHeader); | |
| 89 | |
| 90 if (size < header->cblen) | |
| 91 return UNEXPECTED_ERROR; | |
| 92 size -= header->cblen; | |
| 93 | |
| 94 if (size < header->difflen) | |
| 95 return UNEXPECTED_ERROR; | |
| 96 size -= header->difflen; | |
| 97 | |
| 98 if (size < header->extralen) | |
| 99 return UNEXPECTED_ERROR; | |
| 100 size -= header->extralen; | |
| 101 | |
| 102 if (size != 0) | |
| 85 return UNEXPECTED_ERROR; | 103 return UNEXPECTED_ERROR; |
| 86 | 104 |
| 87 return OK; | 105 return OK; |
| 88 } | 106 } |
| 89 | 107 |
| 90 int | 108 int |
| 91 MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd, | 109 MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd, |
| 92 unsigned char *fbuffer, int filefd) | 110 unsigned char *fbuffer, int filefd) |
| 93 { | 111 { |
| 112 unsigned char *fbufstart = fbuffer; | |
| 94 unsigned char *fbufend = fbuffer + header->slen; | 113 unsigned char *fbufend = fbuffer + header->slen; |
| 95 | 114 |
| 96 unsigned char *buf = (unsigned char*) malloc(header->cblen + | 115 unsigned char *buf = (unsigned char*) malloc(header->cblen + |
| 97 header->difflen + | 116 header->difflen + |
| 98 header->extralen); | 117 header->extralen); |
| 99 if (!buf) | 118 if (!buf) |
| 100 return MEM_ERROR; | 119 return MEM_ERROR; |
| 101 | 120 |
| 102 int rv = OK; | 121 int rv = OK; |
| 103 | 122 |
| 104 int r = header->cblen + header->difflen + header->extralen; | 123 int r = header->cblen + header->difflen + header->extralen; |
| 105 unsigned char *wb = buf; | 124 unsigned char *wb = buf; |
| 106 while (r) { | 125 while (r) { |
|
huangs
2016/07/27 22:39:16
For robustness, maybe
while (r > 0)
?
Otherwise
rickyz (no longer on Chrome)
2016/07/27 22:50:26
This should be impossible because c is at most r (
| |
| 107 int c = read(patchfd, wb, (r > SSIZE_MAX) ? SSIZE_MAX : r); | 126 int c = read(patchfd, wb, (r > SSIZE_MAX) ? SSIZE_MAX : r); |
| 108 if (c < 0) { | 127 if (c < 0) { |
| 109 rv = READ_ERROR; | 128 rv = READ_ERROR; |
| 110 goto end; | 129 goto end; |
| 111 } | 130 } |
| 112 | 131 |
| 113 r -= c; | 132 r -= c; |
| 133 wb += c; | |
| 114 | 134 |
| 115 if (c == 0 && r) { | 135 if (c == 0 && r) { |
| 116 rv = UNEXPECTED_ERROR; | 136 rv = UNEXPECTED_ERROR; |
| 117 goto end; | 137 goto end; |
| 118 } | 138 } |
| 119 } | 139 } |
| 120 | 140 |
| 121 { | 141 { |
| 122 MBSPatchTriple *ctrlsrc = (MBSPatchTriple*) buf; | 142 MBSPatchTriple *ctrlsrc = (MBSPatchTriple*) buf; |
| 143 if (header->cblen % sizeof(MBSPatchTriple) != 0) { | |
| 144 rv = UNEXPECTED_ERROR; | |
| 145 goto end; | |
| 146 } | |
| 147 | |
| 123 unsigned char *diffsrc = buf + header->cblen; | 148 unsigned char *diffsrc = buf + header->cblen; |
| 124 unsigned char *extrasrc = diffsrc + header->difflen; | 149 unsigned char *extrasrc = diffsrc + header->difflen; |
| 125 | 150 |
| 126 MBSPatchTriple *ctrlend = (MBSPatchTriple*) diffsrc; | 151 MBSPatchTriple *ctrlend = (MBSPatchTriple*) diffsrc; |
| 127 unsigned char *diffend = extrasrc; | 152 unsigned char *diffend = extrasrc; |
| 128 unsigned char *extraend = extrasrc + header->extralen; | 153 unsigned char *extraend = extrasrc + header->extralen; |
| 129 | 154 |
| 130 do { | 155 while (ctrlsrc < ctrlend) { |
| 131 ctrlsrc->x = ntohl(ctrlsrc->x); | 156 ctrlsrc->x = ntohl(ctrlsrc->x); |
| 132 ctrlsrc->y = ntohl(ctrlsrc->y); | 157 ctrlsrc->y = ntohl(ctrlsrc->y); |
| 133 ctrlsrc->z = ntohl(ctrlsrc->z); | 158 ctrlsrc->z = ntohl(ctrlsrc->z); |
| 134 | 159 |
| 135 #ifdef DEBUG_bsmedberg | 160 #ifdef DEBUG_bsmedberg |
| 136 printf("Applying block:\n" | 161 printf("Applying block:\n" |
| 137 " x: %u\n" | 162 " x: %u\n" |
| 138 " y: %u\n" | 163 " y: %u\n" |
| 139 " z: %i\n", | 164 " z: %i\n", |
| 140 ctrlsrc->x, | 165 ctrlsrc->x, |
| 141 ctrlsrc->y, | 166 ctrlsrc->y, |
| 142 ctrlsrc->z); | 167 ctrlsrc->z); |
| 143 #endif | 168 #endif |
| 144 | 169 |
| 145 /* Add x bytes from oldfile to x bytes from the diff block */ | 170 /* Add x bytes from oldfile to x bytes from the diff block */ |
| 146 | 171 |
| 147 if (fbuffer + ctrlsrc->x > fbufend || | 172 if (ctrlsrc->x > static_cast<size_t>(fbufend - fbuffer) || |
| 148 diffsrc + ctrlsrc->x > diffend) { | 173 ctrlsrc->x > static_cast<size_t>(diffend - diffsrc)) { |
| 149 rv = UNEXPECTED_ERROR; | 174 rv = UNEXPECTED_ERROR; |
| 150 goto end; | 175 goto end; |
| 151 } | 176 } |
| 152 for (unsigned int i = 0; i < ctrlsrc->x; ++i) { | 177 for (unsigned int i = 0; i < ctrlsrc->x; ++i) { |
| 153 diffsrc[i] += fbuffer[i]; | 178 diffsrc[i] += fbuffer[i]; |
| 154 } | 179 } |
| 155 if ((int) write(filefd, diffsrc, ctrlsrc->x) != ctrlsrc->x) { | 180 if ((int) write(filefd, diffsrc, ctrlsrc->x) != ctrlsrc->x) { |
| 156 rv = WRITE_ERROR; | 181 rv = WRITE_ERROR; |
| 157 goto end; | 182 goto end; |
| 158 } | 183 } |
| 159 fbuffer += ctrlsrc->x; | 184 fbuffer += ctrlsrc->x; |
| 160 diffsrc += ctrlsrc->x; | 185 diffsrc += ctrlsrc->x; |
| 161 | 186 |
| 162 /* Copy y bytes from the extra block */ | 187 /* Copy y bytes from the extra block */ |
| 163 | 188 |
| 164 if (extrasrc + ctrlsrc->y > extraend) { | 189 if (ctrlsrc->y > static_cast<size_t>(extraend - extrasrc)) { |
| 165 rv = UNEXPECTED_ERROR; | 190 rv = UNEXPECTED_ERROR; |
| 166 goto end; | 191 goto end; |
| 167 } | 192 } |
| 168 if ((int) write(filefd, extrasrc, ctrlsrc->y) != ctrlsrc->y) { | 193 if ((int) write(filefd, extrasrc, ctrlsrc->y) != ctrlsrc->y) { |
| 169 rv = WRITE_ERROR; | 194 rv = WRITE_ERROR; |
| 170 goto end; | 195 goto end; |
| 171 } | 196 } |
| 172 extrasrc += ctrlsrc->y; | 197 extrasrc += ctrlsrc->y; |
| 173 | 198 |
| 174 /* "seek" forwards in oldfile by z bytes */ | 199 /* "seek" forwards in oldfile by z bytes */ |
| 175 | 200 |
| 176 if (fbuffer + ctrlsrc->z > fbufend) { | 201 if (ctrlsrc->z < fbufstart - fbuffer || |
| 202 ctrlsrc->z > fbufend - fbuffer) { | |
| 177 rv = UNEXPECTED_ERROR; | 203 rv = UNEXPECTED_ERROR; |
| 178 goto end; | 204 goto end; |
| 179 } | 205 } |
| 180 fbuffer += ctrlsrc->z; | 206 fbuffer += ctrlsrc->z; |
| 181 | 207 |
| 182 /* and on to the next control block */ | 208 /* and on to the next control block */ |
| 183 | 209 |
| 184 ++ctrlsrc; | 210 ++ctrlsrc; |
| 185 } while (ctrlsrc < ctrlend); | 211 } |
| 186 } | 212 } |
| 187 | 213 |
| 188 end: | 214 end: |
| 189 free(buf); | 215 free(buf); |
| 190 return rv; | 216 return rv; |
| 191 } | 217 } |
| 192 | 218 |
| 193 int CalculateCrc(const unsigned char *buf, int size) { | 219 int CalculateCrc(const unsigned char *buf, int size) { |
| 194 CrcGenerateTable(); | 220 CrcGenerateTable(); |
| 195 unsigned int crc = 0xffffffffL; | 221 unsigned int crc = 0xffffffffL; |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 265 | 291 |
| 266 ret = MBS_ApplyPatch(&header, pfd, buf, nfd); | 292 ret = MBS_ApplyPatch(&header, pfd, buf, nfd); |
| 267 } while (0); | 293 } while (0); |
| 268 | 294 |
| 269 free(buf); | 295 free(buf); |
| 270 close(pfd); | 296 close(pfd); |
| 271 if (ofd >= 0) close(ofd); | 297 if (ofd >= 0) close(ofd); |
| 272 if (nfd >= 0) close(nfd); | 298 if (nfd >= 0) close(nfd); |
| 273 return ret; | 299 return ret; |
| 274 } | 300 } |
| OLD | NEW |
