commit 1fabc1fa9d91c9bfc7e707f6d489252fcbb38753
author Tianjie Xu <xunchang@google.com> Wed Sep 21 14:58:11 2016 -0700
committer Tianjie Xu <xunchang@google.com> Thu Sep 22 11:24:42 2016 -0700
tree 14b6ca009c4c18e320c143c3ab634bc252dc2a5b
parent ca427a05eaf5a0c8c0e96c1d47c28e820cb5f86d

Fix out of bound access in libziparchive

The boundary check of an invalid EOCD record may succeed due to the
overflow of uint32_t. Fix the check and add a unit test.

Test: Open the crash.apk and libziparchive reports the offset error as expected.

Bug: 31251826
Change-Id: I1d8092a19b73886a671bc9d291cfc27d65e3d236

libziparchive/testdata/crash.apk

diff --git a/libziparchive/testdata/crash.apk b/libziparchive/testdata/crash.apk
new file mode 100644
index 0000000..d6dd52d
--- /dev/null
+++ b/libziparchive/testdata/crash.apk
Binary files differ

libziparchive/zip_archive.cc

diff --git a/libziparchive/zip_archive.cc b/libziparchive/zip_archive.cc
index 4649a75..45f6f0f 100644
--- a/libziparchive/zip_archive.cc
+++ b/libziparchive/zip_archive.cc
@@ -270,9 +270,14 @@
    * Grab the CD offset and size, and the number of entries in the
    * archive and verify that they look reasonable.
    */
-  if (eocd->cd_start_offset + eocd->cd_size > eocd_offset) {
+  if (static_cast<off64_t>(eocd->cd_start_offset) + eocd->cd_size > eocd_offset) {
     ALOGW("Zip: bad offsets (dir %" PRIu32 ", size %" PRIu32 ", eocd %" PRId64 ")",
         eocd->cd_start_offset, eocd->cd_size, static_cast<int64_t>(eocd_offset));
+#if defined(__ANDROID__)
+    if (eocd->cd_start_offset + eocd->cd_size <= eocd_offset) {
+      android_errorWriteLog(0x534e4554, "31251826");
+    }
+#endif
     return kInvalidOffset;
   }
   if (eocd->num_records == 0) {

libziparchive/zip_archive_test.cc

diff --git a/libziparchive/zip_archive_test.cc b/libziparchive/zip_archive_test.cc
index 6aee1bb..42eb5ee 100644
--- a/libziparchive/zip_archive_test.cc
+++ b/libziparchive/zip_archive_test.cc
@@ -36,6 +36,7 @@
 static const std::string kValidZip = "valid.zip";
 static const std::string kLargeZip = "large.zip";
 static const std::string kBadCrcZip = "bad_crc.zip";
+static const std::string kCrashApk = "crash.apk";
 
 static const std::vector<uint8_t> kATxtContents {
   'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h',
@@ -84,6 +85,12 @@
   CloseArchive(handle);
 }
 
+TEST(ziparchive, OutOfBound) {
+  ZipArchiveHandle handle;
+  ASSERT_EQ(-8, OpenArchiveWrapper(kCrashApk, &handle));
+  CloseArchive(handle);
+}
+
 TEST(ziparchive, OpenMissing) {
   ZipArchiveHandle handle;
   ASSERT_NE(0, OpenArchiveWrapper(kMissingZip, &handle));