Add bounds check for negative ctrlsrc->z.

third_party/bspatch/mbspatch.cc

Index: third_party/bspatch/mbspatch.cc
diff --git a/third_party/bspatch/mbspatch.cc b/third_party/bspatch/mbspatch.cc
index d00bc99d1297b4cc9bd032f2831f4267b44c7064..d33ceeaafe82a5aab489fc9d28374fba29e6f178 100644
--- a/third_party/bspatch/mbspatch.cc
+++ b/third_party/bspatch/mbspatch.cc
@@ -29,11 +29,14 @@
  *                --Benjamin Smedberg <benjamin@smedbergs.us>
  * 2007-11-14 - Added CalculateCrc() and ApplyBinaryPatch() methods.
  *                --Rahul Kuchhal
+ * 2016-07-27 - Improve validation of diffs.
+ *                --Ricky Zhou
  */
 
 #include "mbspatch.h"
 
 #include <sys/stat.h>
+#include <sys/types.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <fcntl.h>
@@ -72,16 +75,33 @@ MBS_ReadHeader(int fd, MBSPatchHeader *header)
 
   struct stat hs;
   s = fstat(fd, &hs);
-  if (s)
+  if (s != 0)
     return READ_ERROR;
 
   if (memcmp(header->tag, "MBDIFF10", 8) != 0)
     return UNEXPECTED_ERROR;
 
-  if (sizeof(MBSPatchHeader) +
-      header->cblen +
-      header->difflen +
-      header->extralen != int(hs.st_size))
+  if (hs.st_size > INT_MAX)
+    return UNEXPECTED_ERROR;
+
+  size_t size = static_cast<size_t>(hs.st_size);
+  if (size < sizeof(MBSPatchHeader))
+    return UNEXPECTED_ERROR;
+  size -= sizeof(MBSPatchHeader);
+
+  if (size < header->cblen)
+    return UNEXPECTED_ERROR;
+  size -= header->cblen;
+
+  if (size < header->difflen)
+    return UNEXPECTED_ERROR;
+  size -= header->difflen;
+
+  if (size < header->extralen)
+    return UNEXPECTED_ERROR;
+  size -= header->extralen;
+
+  if (size != 0)
     return UNEXPECTED_ERROR;
 
   return OK;
@@ -91,6 +111,7 @@ int
 MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
                unsigned char *fbuffer, int filefd)
 {
+  unsigned char *fbufstart = fbuffer;
   unsigned char *fbufend = fbuffer + header->slen;
 
   unsigned char *buf = (unsigned char*) malloc(header->cblen +
@@ -111,6 +132,7 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
     }
 
     r -= c;
+    wb += c;
 
     if (c == 0 && r) {
       rv = UNEXPECTED_ERROR;
@@ -120,6 +142,11 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
 
   {
     MBSPatchTriple *ctrlsrc = (MBSPatchTriple*) buf;
+    if (header->cblen % sizeof(MBSPatchTriple) != 0) {
+      rv = UNEXPECTED_ERROR;
+      goto end;
+    }
+
     unsigned char *diffsrc = buf + header->cblen;
     unsigned char *extrasrc = diffsrc + header->difflen;
 
@@ -127,7 +154,7 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
     unsigned char *diffend = extrasrc;
     unsigned char *extraend = extrasrc + header->extralen;
 
-    do {
+    while (ctrlsrc < ctrlend) {
       ctrlsrc->x = ntohl(ctrlsrc->x);
       ctrlsrc->y = ntohl(ctrlsrc->y);
       ctrlsrc->z = ntohl(ctrlsrc->z);
@@ -144,8 +171,8 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
 
       /* Add x bytes from oldfile to x bytes from the diff block */
 
-      if (fbuffer + ctrlsrc->x > fbufend ||
-          diffsrc + ctrlsrc->x > diffend) {
+      if (ctrlsrc->x > static_cast<size_t>(fbufend - fbuffer) ||
+          ctrlsrc->x > static_cast<size_t>(diffend - diffsrc)) {
         rv = UNEXPECTED_ERROR;
         goto end;
       }
@@ -161,7 +188,7 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
 
       /* Copy y bytes from the extra block */
 
-      if (extrasrc + ctrlsrc->y > extraend) {
+      if (ctrlsrc->y > static_cast<size_t>(extraend - extrasrc)) {
         rv = UNEXPECTED_ERROR;
         goto end;
       }
@@ -173,7 +200,8 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
 
       /* "seek" forwards in oldfile by z bytes */
 
-      if (fbuffer + ctrlsrc->z > fbufend) {
+      if (ctrlsrc->z < fbufstart - fbuffer ||
+          ctrlsrc->z > fbufend - fbuffer) {
         rv = UNEXPECTED_ERROR;
         goto end;
       }
@@ -182,7 +210,7 @@ MBS_ApplyPatch(const MBSPatchHeader *header, int patchfd,
       /* and on to the next control block */
 
       ++ctrlsrc;
-    } while (ctrlsrc < ctrlend);
+    }
   }
 
 end: