commit 7328c9ffbcd628c339763d7b0dfd8f093920f518
author Xin Li <delphij@google.com> Tue Dec 11 13:59:37 2018 -0800
committer Xin Li <delphij@google.com> Tue Dec 11 13:59:37 2018 -0800
tree 1d7d7554cdead317495182dfc8e1973ac110c3bc
parent 4b821d7d700085d3b81260c559392c5e5b59822a
parent 48850623a06f731c0bcc7d41eb99fd7ba49dbb60

DO NOT MERGE - Merge pie-platform-release (PPRL.181205.001) into master

Bug: 120502534
Change-Id: I823ab5b0896ee5ccacfc9a0699a0243f0d283de3

payload_consumer/payload_metadata.cc

diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index 02ec8b1..3079feb 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -107,6 +107,13 @@
          kDeltaManifestSizeSize);
   manifest_size_ = be64toh(manifest_size_);  // switch big endian to host
 
+  metadata_size_ = manifest_offset + manifest_size_;
+  if (metadata_size_ < manifest_size_) {
+    // Overflow detected.
+    *error = ErrorCode::kDownloadInvalidMetadataSize;
+    return MetadataParseResult::kError;
+  }
+
   if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
     // Parse the metadata signature size.
     static_assert(
@@ -121,8 +128,13 @@
            &payload[metadata_signature_size_offset],
            kDeltaMetadataSignatureSizeSize);
     metadata_signature_size_ = be32toh(metadata_signature_size_);
+
+    if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
+      // Overflow detected.
+      *error = ErrorCode::kDownloadInvalidMetadataSize;
+      return MetadataParseResult::kError;
+    }
   }
-  metadata_size_ = manifest_offset + manifest_size_;
   return MetadataParseResult::kSuccess;
 }
 

update_attempter_android.cc

diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index f0de4cb..68aa775 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc
@@ -378,14 +378,17 @@
                           "Failed to parse payload header: " +
                               utils::ErrorCodeToString(errorcode));
   }
-  metadata.resize(payload_metadata.GetMetadataSize() +
-                  payload_metadata.GetMetadataSignatureSize());
-  if (metadata.size() < kMaxPayloadHeaderSize) {
+  uint64_t metadata_size = payload_metadata.GetMetadataSize() +
+                           payload_metadata.GetMetadataSignatureSize();
+  if (metadata_size < kMaxPayloadHeaderSize ||
+      metadata_size >
+          static_cast<uint64_t>(utils::FileSize(metadata_filename))) {
     return LogAndSetError(
         error,
         FROM_HERE,
-        "Metadata size too small: " + std::to_string(metadata.size()));
+        "Invalid metadata size: " + std::to_string(metadata_size));
   }
+  metadata.resize(metadata_size);
   if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,
                 metadata.size() - kMaxPayloadHeaderSize)) {
     return LogAndSetError(