fix vulnerability in bspatch
Patches with control data tuples with negative numbers in the first
and/or second can cause bspatch to write to arbitrary locations in the
heap.
Change-Id: Ibfccf222dbc24328ce7593476da36212d9052e12
diff --git a/bspatch.c b/bspatch.c
index 3ef698f..61de4d5 100644
--- a/bspatch.c
+++ b/bspatch.c
@@ -152,6 +152,11 @@
ctrl[i]=offtin(buf);
};
+ // android local change (start)
+ if (ctrl[0]<0||ctrl[1]<0)
+ errx(1,"Corrupt patch\n");
+ // android local change (end)
+
/* Sanity-check */
if(newpos+ctrl[0]>newsize)
errx(1,"Corrupt patch\n");