Merge "bspatch_fuzzer: guard againts integer overflow with bad patch"

commit: 10118144d0b8a90496db9f97d55bf607db2c8c8b [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Tue Jun 18 18:25:26 2019 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jun 18 18:25:26 2019 +0000
tree: ebe23d95183dfad42797b3d4ffea28ee8af07f92
parent: 1a313bad729068bfd60f9f86c5769671bc652b53 [diff]
parent: 6e40d9347586f0bc628295a0c581c95eeae0a234 [diff]
diff --git a/bspatch.cc b/bspatch.cc
index d552dcf..d7f1710 100644
--- a/bspatch.cc
+++ b/bspatch.cc

@@ -34,6 +34,7 @@
 #include <fcntl.h>
 #include <inttypes.h>
 #include <stdio.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -329,6 +330,8 @@
 
     // Adjust pointers.
     newpos += control_entry.diff_size;
+    if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size))
+      return 2;
     oldpos += control_entry.diff_size;
 
     if (oldpos > static_cast<int64_t>(old_file_size)) {
@@ -358,6 +361,9 @@
 
     // Adjust pointers.
     newpos += control_entry.extra_size;
+    if (control_entry.offset_increment > 0 &&
+        oldpos > INT64_MAX - control_entry.offset_increment)
+      return 2;
     oldpos += control_entry.offset_increment;
   }
commit	10118144d0b8a90496db9f97d55bf607db2c8c8b	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Tue Jun 18 18:25:26 2019 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Jun 18 18:25:26 2019 +0000
tree	ebe23d95183dfad42797b3d4ffea28ee8af07f92
parent	1a313bad729068bfd60f9f86c5769671bc652b53 [diff]
parent	6e40d9347586f0bc628295a0c581c95eeae0a234 [diff]