commit 02b9914d9d6713699c85a56a0de9b6a67d0e1b96
author android-build-team Robot <android-build-team-robot@google.com> Sat Oct 20 00:20:19 2018 +0000
committer android-build-team Robot <android-build-team-robot@google.com> Sat Oct 20 00:20:19 2018 +0000
tree 2e832fa33f6249e11659f1eeae0255fe37fc8b56
parent da851450dfc625719754af022c38f91a97838c93
parent 840a7eae5a6d8250490e8ea430193531f0c4ccd6

Merge cherrypicks of [5317808, 5317809, 5318498, 5317873, 5318338, 5318195, 5318499, 5317874, 5317875, 5317876, 5318243, 5318244, 5318537, 5318538, 5318539, 5318540, 5318541, 5318542, 5318543, 5318544, 5318545, 5318546, 5315210, 5317756, 5318557, 5318558, 5318559, 5318560, 5318561, 5318339, 5318547, 5318548, 5318549, 5318562, 5318563, 5318564, 5318565, 5318566, 5318172, 5318173, 5318174, 5318550, 5318401, 5318196, 5317889, 5318175, 5318176, 5318577, 5318578, 5318579, 5318580, 5318581, 5318503, 5318390, 5318505, 5318341, 5318551] into pi-qpr1-release

Change-Id: I69141e0a919e8af2e0bad14493d499d7cd115280

payload_consumer/payload_metadata.cc

diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index fe2df0a..6b8d448 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -109,6 +109,13 @@
          kDeltaManifestSizeSize);
   manifest_size_ = be64toh(manifest_size_);  // switch big endian to host
 
+  metadata_size_ = manifest_offset + manifest_size_;
+  if (metadata_size_ < manifest_size_) {
+    // Overflow detected.
+    *error = ErrorCode::kDownloadInvalidMetadataSize;
+    return MetadataParseResult::kError;
+  }
+
   if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
     // Parse the metadata signature size.
     static_assert(
@@ -123,8 +130,13 @@
            &payload[metadata_signature_size_offset],
            kDeltaMetadataSignatureSizeSize);
     metadata_signature_size_ = be32toh(metadata_signature_size_);
+
+    if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
+      // Overflow detected.
+      *error = ErrorCode::kDownloadInvalidMetadataSize;
+      return MetadataParseResult::kError;
+    }
   }
-  metadata_size_ = manifest_offset + manifest_size_;
   return MetadataParseResult::kSuccess;
 }
 

update_attempter_android.cc

diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index 04ccb18..406e40a 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc
@@ -357,14 +357,17 @@
                           "Failed to parse payload header: " +
                               utils::ErrorCodeToString(errorcode));
   }
-  metadata.resize(payload_metadata.GetMetadataSize() +
-                  payload_metadata.GetMetadataSignatureSize());
-  if (metadata.size() < kMaxPayloadHeaderSize) {
+  uint64_t metadata_size = payload_metadata.GetMetadataSize() +
+                           payload_metadata.GetMetadataSignatureSize();
+  if (metadata_size < kMaxPayloadHeaderSize ||
+      metadata_size >
+          static_cast<uint64_t>(utils::FileSize(metadata_filename))) {
     return LogAndSetError(
         error,
         FROM_HERE,
-        "Metadata size too small: " + std::to_string(metadata.size()));
+        "Invalid metadata size: " + std::to_string(metadata_size));
   }
+  metadata.resize(metadata_size);
   if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,
                 metadata.size() - kMaxPayloadHeaderSize)) {
     return LogAndSetError(