Chromium Code Reviews Chromium Code Reviews
Issue 2182873003:
Add bounds check for negative ctrlsrc->z. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /*- | 1 /*- |
| 2 * Copyright 2003,2004 Colin Percival | 2 * Copyright 2003,2004 Colin Percival |
| 3 * All rights reserved | 3 * All rights reserved |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted providing that the following conditions | 6 * modification, are permitted providing that the following conditions |
| 7 * are met: | 7 * are met: |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 27 * 2005-04-26 - Define the header as a C structure, add a CRC32 checksum to | 27 * 2005-04-26 - Define the header as a C structure, add a CRC32 checksum to |
| 28 * the header, and make all the types 32-bit. | 28 * the header, and make all the types 32-bit. |
| 29 * --Benjamin Smedberg <benjamin@smedbergs.us> | 29 * --Benjamin Smedberg <benjamin@smedbergs.us> |
| 30 * 2007-11-14 - Added CalculateCrc() and ApplyBinaryPatch() methods. | 30 * 2007-11-14 - Added CalculateCrc() and ApplyBinaryPatch() methods. |
| 31 * --Rahul Kuchhal | 31 * --Rahul Kuchhal |
| 32 */ | 32 */ |
| 33 | 33 |
| 34 #include "mbspatch.h" | 34 #include "mbspatch.h" |
| 35 | 35 |
| 36 #include <sys/stat.h> | 36 #include <sys/stat.h> |
| 37 #include <sys/types.h> | |
| 37 #include <stdlib.h> | 38 #include <stdlib.h> |
| 38 #include <stdio.h> | 39 #include <stdio.h> |
| 39 #include <fcntl.h> | 40 #include <fcntl.h> |
| 40 #include <string.h> | 41 #include <string.h> |
| 41 #include <limits.h> | 42 #include <limits.h> |
| 42 | 43 |
| 43 #ifdef _WIN32 | 44 #ifdef _WIN32 |
| 44 # include <io.h> | 45 # include <io.h> |
| 45 # include <winsock2.h> | 46 # include <winsock2.h> |
| 46 #else | 47 #else |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 65 | 66 |
| 66 header->slen = ntohl(header->slen); | 67 header->slen = ntohl(header->slen); |
| 67 header->scrc32 = ntohl(header->scrc32); | 68 header->scrc32 = ntohl(header->scrc32); |
| 68 header->dlen = ntohl(header->dlen); | 69 header->dlen = ntohl(header->dlen); |
| 69 header->cblen = ntohl(header->cblen); | 70 header->cblen = ntohl(header->cblen); |
| 70 header->difflen = ntohl(header->difflen); | 71 header->difflen = ntohl(header->difflen); |
| 71 header->extralen = ntohl(header->extralen); | 72 header->extralen = ntohl(header->extralen); |
| 72 | 73 |
| 73 struct stat hs; | 74 struct stat hs; |
| 74 s = fstat(fd, &hs); | 75 s = fstat(fd, &hs); |
| 75 if (s) | 76 if (s != 0) |
| 76 return READ_ERROR; | 77 return READ_ERROR; |
| 77 | 78 |
| 78 if (memcmp(header->tag, "MBDIFF10", 8) != 0) | 79 if (memcmp(header->tag, "MBDIFF10", 8) != 0) |
| 79 return UNEXPECTED_ERROR; | 80 return UNEXPECTED_ERROR; |
| 80 | 81 |
| 81 if (sizeof(MBSPatchHeader) + | 82 if (hs.st_size > INT_MAX) |
| 82 header->cblen + | 83 return UNEXPECTED_ERROR; |
| 83 header->difflen + | 84 |
| 84 header->extralen != int(hs.st_size)) | 85 size_t size = static_cast<size_t>(hs.st_size); |
|
kcwu
2016/07/27 04:14:36
size -= sizeof(MBSPatchHeader);
rickyz (no longer on Chrome)
2016/07/27 04:24:14
Done.
| |
| 86 if (slen < header->cblen || header->cblen % sizeof(MBSPatchTriple) != 0) | |
|
kcwu
2016/07/27 04:14:36
s/slen/size/
rickyz (no longer on Chrome)
2016/07/27 04:24:14
Done.
| |
| 87 return UNEXPECTED_ERROR; | |
| 88 size -= header->cblen; | |
| 89 | |
| 90 if (size < header->difflen) | |
| 91 return UNEXPECTED_ERROR; | |
| 92 size -= header->difflen; | |
| 93 | |
| 94 if (size < header->extralen) | |
| 95 return UNEXPECTED_ERROR; | |
| 96 size -= header->extralen; | |
| 97 | |
| 98 if (size != 0) | |
| 85 return UNEXPECTED_ERROR; | 99 return UNEXPECTED_ERROR; |
| 86 | 100 |
| 87 return OK; | 101 return OK; |
| 88 } | 102 } |
| 89 | 103 |
| 90 int | 104 int |
| 91 MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd, | 105 MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd, |
| 92 unsigned char *fbuffer, int filefd) | 106 unsigned char *fbuffer, int filefd) |
| 93 { | 107 { |
| 108 unsigned char *fbufstart = fbuffer; | |
| 94 unsigned char *fbufend = fbuffer + header->slen; | 109 unsigned char *fbufend = fbuffer + header->slen; |
| 95 | 110 |
| 96 unsigned char *buf = (unsigned char*) malloc(header->cblen + | 111 unsigned char *buf = (unsigned char*) malloc(header->cblen + |
| 97 header->difflen + | 112 header->difflen + |
| 98 header->extralen); | 113 header->extralen); |
| 99 if (!buf) | 114 if (!buf) |
| 100 return MEM_ERROR; | 115 return MEM_ERROR; |
| 101 | 116 |
| 102 int rv = OK; | 117 int rv = OK; |
| 103 | 118 |
| 104 int r = header->cblen + header->difflen + header->extralen; | 119 int r = header->cblen + header->difflen + header->extralen; |
| 105 unsigned char *wb = buf; | 120 unsigned char *wb = buf; |
| 106 while (r) { | 121 while (r) { |
| 107 int c = read(patchfd, wb, (r > SSIZE_MAX) ? SSIZE_MAX : r); | 122 int c = read(patchfd, wb, (r > SSIZE_MAX) ? SSIZE_MAX : r); |
| 108 if (c < 0) { | 123 if (c < 0) { |
| 109 rv = READ_ERROR; | 124 rv = READ_ERROR; |
| 110 goto end; | 125 goto end; |
| 111 } | 126 } |
| 112 | 127 |
| 113 r -= c; | 128 r -= c; |
| 129 wb += c | |
|
kcwu
2016/07/27 04:14:36
good catch. but missed semicolon;
rickyz (no longer on Chrome)
2016/07/27 04:24:14
Oops, apologies for all of the build errors, been
| |
| 114 | 130 |
| 115 if (c == 0 && r) { | 131 if (c == 0 && r) { |
| 116 rv = UNEXPECTED_ERROR; | 132 rv = UNEXPECTED_ERROR; |
| 117 goto end; | 133 goto end; |
| 118 } | 134 } |
| 119 } | 135 } |
| 120 | 136 |
| 121 { | 137 { |
| 122 MBSPatchTriple *ctrlsrc = (MBSPatchTriple*) buf; | 138 MBSPatchTriple *ctrlsrc = (MBSPatchTriple*) buf; |
| 139 if (header->cblen % sizeof(MBSPatchTriple) != 0) { | |
|
kcwu
2016/07/27 04:14:36
This is redundant? You have checked it in MBS_Read
rickyz (no longer on Chrome)
2016/07/27 04:24:14
I was debating between doing validation earlier vs
| |
| 140 rv = UNEXPECTED_ERROR; | |
| 141 goto end; | |
| 142 } | |
| 143 | |
| 123 unsigned char *diffsrc = buf + header->cblen; | 144 unsigned char *diffsrc = buf + header->cblen; |
| 124 unsigned char *extrasrc = diffsrc + header->difflen; | 145 unsigned char *extrasrc = diffsrc + header->difflen; |
| 125 | 146 |
| 126 MBSPatchTriple *ctrlend = (MBSPatchTriple*) diffsrc; | 147 MBSPatchTriple *ctrlend = (MBSPatchTriple*) diffsrc; |
| 127 unsigned char *diffend = extrasrc; | 148 unsigned char *diffend = extrasrc; |
| 128 unsigned char *extraend = extrasrc + header->extralen; | 149 unsigned char *extraend = extrasrc + header->extralen; |
| 129 | 150 |
| 130 do { | 151 while (ctrlsrc < ctrlend) { |
| 131 ctrlsrc->x = ntohl(ctrlsrc->x); | 152 ctrlsrc->x = ntohl(ctrlsrc->x); |
| 132 ctrlsrc->y = ntohl(ctrlsrc->y); | 153 ctrlsrc->y = ntohl(ctrlsrc->y); |
| 133 ctrlsrc->z = ntohl(ctrlsrc->z); | 154 ctrlsrc->z = ntohl(ctrlsrc->z); |
| 134 | 155 |
| 135 #ifdef DEBUG_bsmedberg | 156 #ifdef DEBUG_bsmedberg |
| 136 printf("Applying block:\n" | 157 printf("Applying block:\n" |
| 137 " x: %u\n" | 158 " x: %u\n" |
| 138 " y: %u\n" | 159 " y: %u\n" |
| 139 " z: %i\n", | 160 " z: %i\n", |
| 140 ctrlsrc->x, | 161 ctrlsrc->x, |
| 141 ctrlsrc->y, | 162 ctrlsrc->y, |
| 142 ctrlsrc->z); | 163 ctrlsrc->z); |
| 143 #endif | 164 #endif |
| 144 | 165 |
| 145 /* Add x bytes from oldfile to x bytes from the diff block */ | 166 /* Add x bytes from oldfile to x bytes from the diff block */ |
| 146 | 167 |
| 147 if (fbuffer + ctrlsrc->x > fbufend || | 168 if (ctrlsrc->x > fbufend - fbuffer || |
| 148 diffsrc + ctrlsrc->x > diffend) { | 169 ctrlsrc->x > diffend - diffsrc) { |
| 149 rv = UNEXPECTED_ERROR; | 170 rv = UNEXPECTED_ERROR; |
| 150 goto end; | 171 goto end; |
| 151 } | 172 } |
| 152 for (unsigned int i = 0; i < ctrlsrc->x; ++i) { | 173 for (unsigned int i = 0; i < ctrlsrc->x; ++i) { |
| 153 diffsrc[i] += fbuffer[i]; | 174 diffsrc[i] += fbuffer[i]; |
| 154 } | 175 } |
| 155 if ((int) write(filefd, diffsrc, ctrlsrc->x) != ctrlsrc->x) { | 176 if ((int) write(filefd, diffsrc, ctrlsrc->x) != ctrlsrc->x) { |
| 156 rv = WRITE_ERROR; | 177 rv = WRITE_ERROR; |
| 157 goto end; | 178 goto end; |
| 158 } | 179 } |
| 159 fbuffer += ctrlsrc->x; | 180 fbuffer += ctrlsrc->x; |
| 160 diffsrc += ctrlsrc->x; | 181 diffsrc += ctrlsrc->x; |
| 161 | 182 |
| 162 /* Copy y bytes from the extra block */ | 183 /* Copy y bytes from the extra block */ |
| 163 | 184 |
| 164 if (extrasrc + ctrlsrc->y > extraend) { | 185 if (ctrlsrc->y > extraend - extrasrc) { |
| 165 rv = UNEXPECTED_ERROR; | 186 rv = UNEXPECTED_ERROR; |
| 166 goto end; | 187 goto end; |
| 167 } | 188 } |
| 168 if ((int) write(filefd, extrasrc, ctrlsrc->y) != ctrlsrc->y) { | 189 if ((int) write(filefd, extrasrc, ctrlsrc->y) != ctrlsrc->y) { |
| 169 rv = WRITE_ERROR; | 190 rv = WRITE_ERROR; |
| 170 goto end; | 191 goto end; |
| 171 } | 192 } |
| 172 extrasrc += ctrlsrc->y; | 193 extrasrc += ctrlsrc->y; |
| 173 | 194 |
| 174 /* "seek" forwards in oldfile by z bytes */ | 195 /* "seek" forwards in oldfile by z bytes */ |
| 175 | 196 |
| 176 if (fbuffer + ctrlsrc->z > fbufend) { | 197 if (ctrlsrc->z < fbufstart - fbuffer || |
| 198 ctrlsrc->z > fbufend - fbuffer) { | |
| 177 rv = UNEXPECTED_ERROR; | 199 rv = UNEXPECTED_ERROR; |
| 178 goto end; | 200 goto end; |
| 179 } | 201 } |
| 180 fbuffer += ctrlsrc->z; | 202 fbuffer += ctrlsrc->z; |
| 181 | 203 |
| 182 /* and on to the next control block */ | 204 /* and on to the next control block */ |
| 183 | 205 |
| 184 ++ctrlsrc; | 206 ++ctrlsrc; |
| 185 } while (ctrlsrc < ctrlend); | 207 } |
| 186 } | 208 } |
| 187 | 209 |
| 188 end: | 210 end: |
| 189 free(buf); | 211 free(buf); |
| 190 return rv; | 212 return rv; |
| 191 } | 213 } |
| 192 | 214 |
| 193 int CalculateCrc(const unsigned char *buf, int size) { | 215 int CalculateCrc(const unsigned char *buf, int size) { |
| 194 CrcGenerateTable(); | 216 CrcGenerateTable(); |
| 195 unsigned int crc = 0xffffffffL; | 217 unsigned int crc = 0xffffffffL; |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 265 | 287 |
| 266 ret = MBS_ApplyPatch(&header, pfd, buf, nfd); | 288 ret = MBS_ApplyPatch(&header, pfd, buf, nfd); |
| 267 } while (0); | 289 } while (0); |
| 268 | 290 |
| 269 free(buf); | 291 free(buf); |
| 270 close(pfd); | 292 close(pfd); |
| 271 if (ofd >= 0) close(ofd); | 293 if (ofd >= 0) close(ofd); |
| 272 if (nfd >= 0) close(nfd); | 294 if (nfd >= 0) close(nfd); |
| 273 return ret; | 295 return ret; |
| 274 } | 296 } |
| OLD | NEW |
