DO NOT MERGE - Merge pie-platform-release (PPRL.181205.001) into master
Bug: 120502534
Change-Id: I823ab5b0896ee5ccacfc9a0699a0243f0d283de3
diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index 02ec8b1..3079feb 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -107,6 +107,13 @@
kDeltaManifestSizeSize);
manifest_size_ = be64toh(manifest_size_); // switch big endian to host
+ metadata_size_ = manifest_offset + manifest_size_;
+ if (metadata_size_ < manifest_size_) {
+ // Overflow detected.
+ *error = ErrorCode::kDownloadInvalidMetadataSize;
+ return MetadataParseResult::kError;
+ }
+
if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
// Parse the metadata signature size.
static_assert(
@@ -121,8 +128,13 @@
&payload[metadata_signature_size_offset],
kDeltaMetadataSignatureSizeSize);
metadata_signature_size_ = be32toh(metadata_signature_size_);
+
+ if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
+ // Overflow detected.
+ *error = ErrorCode::kDownloadInvalidMetadataSize;
+ return MetadataParseResult::kError;
+ }
}
- metadata_size_ = manifest_offset + manifest_size_;
return MetadataParseResult::kSuccess;
}
diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index f0de4cb..68aa775 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc
@@ -378,14 +378,17 @@
"Failed to parse payload header: " +
utils::ErrorCodeToString(errorcode));
}
- metadata.resize(payload_metadata.GetMetadataSize() +
- payload_metadata.GetMetadataSignatureSize());
- if (metadata.size() < kMaxPayloadHeaderSize) {
+ uint64_t metadata_size = payload_metadata.GetMetadataSize() +
+ payload_metadata.GetMetadataSignatureSize();
+ if (metadata_size < kMaxPayloadHeaderSize ||
+ metadata_size >
+ static_cast<uint64_t>(utils::FileSize(metadata_filename))) {
return LogAndSetError(
error,
FROM_HERE,
- "Metadata size too small: " + std::to_string(metadata.size()));
+ "Invalid metadata size: " + std::to_string(metadata_size));
}
+ metadata.resize(metadata_size);
if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,
metadata.size() - kMaxPayloadHeaderSize)) {
return LogAndSetError(