Merge cherrypicks of [5317808, 5317809, 5318498, 5317873, 5318338, 5318195, 5318499, 5317874, 5317875, 5317876, 5318243, 5318244, 5318537, 5318538, 5318539, 5318540, 5318541, 5318542, 5318543, 5318544, 5318545, 5318546, 5315210, 5317756, 5318557, 5318558, 5318559, 5318560, 5318561, 5318339, 5318547, 5318548, 5318549, 5318562, 5318563, 5318564, 5318565, 5318566, 5318172, 5318173, 5318174, 5318550, 5318401, 5318196, 5317889, 5318175, 5318176, 5318577, 5318578, 5318579, 5318580, 5318581, 5318503, 5318390, 5318505, 5318341, 5318551] into pi-qpr1-release
Change-Id: I69141e0a919e8af2e0bad14493d499d7cd115280
diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index fe2df0a..6b8d448 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -109,6 +109,13 @@
kDeltaManifestSizeSize);
manifest_size_ = be64toh(manifest_size_); // switch big endian to host
+ metadata_size_ = manifest_offset + manifest_size_;
+ if (metadata_size_ < manifest_size_) {
+ // Overflow detected.
+ *error = ErrorCode::kDownloadInvalidMetadataSize;
+ return MetadataParseResult::kError;
+ }
+
if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
// Parse the metadata signature size.
static_assert(
@@ -123,8 +130,13 @@
&payload[metadata_signature_size_offset],
kDeltaMetadataSignatureSizeSize);
metadata_signature_size_ = be32toh(metadata_signature_size_);
+
+ if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
+ // Overflow detected.
+ *error = ErrorCode::kDownloadInvalidMetadataSize;
+ return MetadataParseResult::kError;
+ }
}
- metadata_size_ = manifest_offset + manifest_size_;
return MetadataParseResult::kSuccess;
}
diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index 04ccb18..406e40a 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc
@@ -357,14 +357,17 @@
"Failed to parse payload header: " +
utils::ErrorCodeToString(errorcode));
}
- metadata.resize(payload_metadata.GetMetadataSize() +
- payload_metadata.GetMetadataSignatureSize());
- if (metadata.size() < kMaxPayloadHeaderSize) {
+ uint64_t metadata_size = payload_metadata.GetMetadataSize() +
+ payload_metadata.GetMetadataSignatureSize();
+ if (metadata_size < kMaxPayloadHeaderSize ||
+ metadata_size >
+ static_cast<uint64_t>(utils::FileSize(metadata_filename))) {
return LogAndSetError(
error,
FROM_HERE,
- "Metadata size too small: " + std::to_string(metadata.size()));
+ "Invalid metadata size: " + std::to_string(metadata_size));
}
+ metadata.resize(metadata_size);
if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,
metadata.size() - kMaxPayloadHeaderSize)) {
return LogAndSetError(