bspatch_fuzzer: guard againts integer overflow with bad patch
oldpos is a signed integer and an invalid input can cause integer
overflow. This CL makes sure the interger overflow doesn't happen.
The error message was:
../../../../../../../tmp/portage/dev-util/bsdiff-9999/work/bsdiff-9999/platform2/bsdiff/bspatch.cc:366:12: runtime error: signed integer overflow: 251 + 9223372036854775807 cannot be represented in type 'long'
Bug: crbug.com/950591
Test: cros_fuzz --board=amd64-generic reproduce --fuzzer bspatch_fuzzer --testcase ~/trunk/clusterfuzz-testcase-bspatch_fuzzer-5689939906920448 --package bsdiff --build-type ubsan
Change-Id: If1253483bc073cfb08867b531121d835078544bb
diff --git a/bspatch.cc b/bspatch.cc
index d552dcf..d7f1710 100644
--- a/bspatch.cc
+++ b/bspatch.cc
@@ -34,6 +34,7 @@
#include <fcntl.h>
#include <inttypes.h>
#include <stdio.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
@@ -329,6 +330,8 @@
// Adjust pointers.
newpos += control_entry.diff_size;
+ if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size))
+ return 2;
oldpos += control_entry.diff_size;
if (oldpos > static_cast<int64_t>(old_file_size)) {
@@ -358,6 +361,9 @@
// Adjust pointers.
newpos += control_entry.extra_size;
+ if (control_entry.offset_increment > 0 &&
+ oldpos > INT64_MAX - control_entry.offset_increment)
+ return 2;
oldpos += control_entry.offset_increment;
}