commit 6e40d9347586f0bc628295a0c581c95eeae0a234
author Amin Hassani <ahassani@google.com> Mon May 13 11:47:57 2019 -0700
committer Amin Hassani <ahassani@google.com> Fri Jun 14 11:42:22 2019 -0700
tree ebe23d95183dfad42797b3d4ffea28ee8af07f92
parent 1a313bad729068bfd60f9f86c5769671bc652b53

bspatch_fuzzer: guard againts integer overflow with bad patch

oldpos is a signed integer and an invalid input can cause integer
overflow. This CL makes sure the interger overflow doesn't happen.

The error message was:
../../../../../../../tmp/portage/dev-util/bsdiff-9999/work/bsdiff-9999/platform2/bsdiff/bspatch.cc:366:12: runtime error: signed integer overflow: 251 + 9223372036854775807 cannot be represented in type 'long'

Bug: crbug.com/950591
Test: cros_fuzz --board=amd64-generic reproduce --fuzzer bspatch_fuzzer --testcase ~/trunk/clusterfuzz-testcase-bspatch_fuzzer-5689939906920448 --package bsdiff --build-type ubsan

Change-Id: If1253483bc073cfb08867b531121d835078544bb

bspatch.cc

diff --git a/bspatch.cc b/bspatch.cc
index d552dcf..d7f1710 100644
--- a/bspatch.cc
+++ b/bspatch.cc
@@ -34,6 +34,7 @@
 #include <fcntl.h>
 #include <inttypes.h>
 #include <stdio.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -329,6 +330,8 @@
 
     // Adjust pointers.
     newpos += control_entry.diff_size;
+    if (oldpos > INT64_MAX - static_cast<int64_t>(control_entry.diff_size))
+      return 2;
     oldpos += control_entry.diff_size;
 
     if (oldpos > static_cast<int64_t>(old_file_size)) {
@@ -358,6 +361,9 @@
 
     // Adjust pointers.
     newpos += control_entry.extra_size;
+    if (control_entry.offset_increment > 0 &&
+        oldpos > INT64_MAX - control_entry.offset_increment)
+      return 2;
     oldpos += control_entry.offset_increment;
   }