commit fba1a36fd912963a838bcf992f898bc5e9370b63
author Tianjie Xu <xunchang@google.com> Wed Sep 21 14:58:11 2016 -0700
committer Jiyong Park <jiyong@google.com> Fri Jun 30 17:18:31 2017 +0900
tree e9fa009e369796202bb1097ce054358d611eede3
parent 7dbf1a187e6d82eb1dc3d9b2da44e8e320d5c758

Fix out of bound access in libziparchive

The boundary check of an invalid EOCD record may succeed due to the
overflow of uint32_t. Fix the check and add a unit test.

Test: Open the crash.apk and libziparchive reports the offset error as expected.

Bug: 31251826
Merged-In: I1d8092a19b73886a671bc9d291cfc27d65e3d236
Change-Id: I1d8092a19b73886a671bc9d291cfc27d65e3d236
(cherry picked from commit ae8180c06dee228cd1378c56afa6020ae98d8a24)

libziparchive/testdata/crash.apk

diff --git a/libziparchive/testdata/crash.apk b/libziparchive/testdata/crash.apk
new file mode 100644
index 0000000..d6dd52d
--- /dev/null
+++ b/libziparchive/testdata/crash.apk
Binary files differ

libziparchive/zip_archive_test.cc

diff --git a/libziparchive/zip_archive_test.cc b/libziparchive/zip_archive_test.cc
index 52099c3..7653872 100644
--- a/libziparchive/zip_archive_test.cc
+++ b/libziparchive/zip_archive_test.cc
@@ -40,6 +40,7 @@
 static const std::string kValidZip = "valid.zip";
 static const std::string kLargeZip = "large.zip";
 static const std::string kBadCrcZip = "bad_crc.zip";
+static const std::string kCrashApk = "crash.apk";
 static const std::string kUpdateZip = "dummy-update.zip";
 
 static const std::vector<uint8_t> kATxtContents {
@@ -89,6 +90,12 @@
   CloseArchive(handle);
 }
 
+TEST(ziparchive, OutOfBound) {
+  ZipArchiveHandle handle;
+  ASSERT_EQ(-8, OpenArchiveWrapper(kCrashApk, &handle));
+  CloseArchive(handle);
+}
+
 TEST(ziparchive, OpenMissing) {
   ZipArchiveHandle handle;
   ASSERT_NE(0, OpenArchiveWrapper(kMissingZip, &handle));