Check metadata size in payload.
Detect overflow for unsigned integer addition.
Bug: 113118184
Test: manual test with a hand crafted payload
Change-Id: I0155de49c241c392fb74f3d830ceebdb4174f872
(cherry picked from commit 08769f9c05199f96b257eded926975fd83c6edbf)
(cherry picked from commit 3e9410898d2687d7df3bdb03c6830d3ec428c2c6)
diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
index fe2df0a..6b8d448 100644
--- a/payload_consumer/payload_metadata.cc
+++ b/payload_consumer/payload_metadata.cc
@@ -109,6 +109,13 @@
kDeltaManifestSizeSize);
manifest_size_ = be64toh(manifest_size_); // switch big endian to host
+ metadata_size_ = manifest_offset + manifest_size_;
+ if (metadata_size_ < manifest_size_) {
+ // Overflow detected.
+ *error = ErrorCode::kDownloadInvalidMetadataSize;
+ return MetadataParseResult::kError;
+ }
+
if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
// Parse the metadata signature size.
static_assert(
@@ -123,8 +130,13 @@
&payload[metadata_signature_size_offset],
kDeltaMetadataSignatureSizeSize);
metadata_signature_size_ = be32toh(metadata_signature_size_);
+
+ if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
+ // Overflow detected.
+ *error = ErrorCode::kDownloadInvalidMetadataSize;
+ return MetadataParseResult::kError;
+ }
}
- metadata_size_ = manifest_offset + manifest_size_;
return MetadataParseResult::kSuccess;
}