Fix integrity check when parsing zip64 eocd
The old check has some missing cases and may lead to read OOB.
Bug: 152433916
Test: unit tests pass
Change-Id: I3e8705b9c2db081228c5f9bd191c133668376ff2
diff --git a/libziparchive/zip_archive.cc b/libziparchive/zip_archive.cc
index 9812026..849b68c 100644
--- a/libziparchive/zip_archive.cc
+++ b/libziparchive/zip_archive.cc
@@ -162,8 +162,10 @@
}
const int64_t zip64EocdOffset = zip64EocdLocator.zip64_eocd_offset;
- if (zip64EocdOffset > locatorOffset - sizeof(Zip64EocdRecord)) {
- ALOGW("Zip: %s: Bad zip64 eocd offset %" PRIu64, debugFileName, zip64EocdOffset);
+ if (locatorOffset <= sizeof(Zip64EocdRecord) ||
+ zip64EocdOffset > locatorOffset - sizeof(Zip64EocdRecord)) {
+ ALOGW("Zip: %s: Bad zip64 eocd offset %" PRId64 ", eocd locator offset %" PRId64, debugFileName,
+ zip64EocdOffset, locatorOffset);
return kInvalidOffset;
}
@@ -171,7 +173,7 @@
if (!archive->mapped_zip.ReadAtOffset(reinterpret_cast<uint8_t*>(&zip64EocdRecord),
sizeof(Zip64EocdRecord), zip64EocdOffset)) {
ALOGW("Zip: %s: read %zu from offset %" PRId64 " failed %s", debugFileName,
- sizeof(Zip64EocdLocator), static_cast<int64_t>(zip64EocdOffset), debugFileName);
+ sizeof(Zip64EocdLocator), zip64EocdOffset, debugFileName);
return kIoError;
}
@@ -181,7 +183,8 @@
return kInvalidFile;
}
- if (zip64EocdRecord.cd_start_offset > zip64EocdOffset - zip64EocdRecord.cd_size) {
+ if (zip64EocdOffset <= zip64EocdRecord.cd_size ||
+ zip64EocdRecord.cd_start_offset > zip64EocdOffset - zip64EocdRecord.cd_size) {
ALOGW("Zip: %s: Bad offset for zip64 central directory. cd offset %" PRIu64 ", cd size %" PRIu64
", zip64 eocd offset %" PRIu64,
debugFileName, zip64EocdRecord.cd_start_offset, zip64EocdRecord.cd_size, zip64EocdOffset);