diff options
-rw-r--r-- | minzip/SysUtil.c | 68 | ||||
-rw-r--r-- | updater/updater.cpp | 13 |
2 files changed, 59 insertions, 22 deletions
diff --git a/minzip/SysUtil.c b/minzip/SysUtil.c index 09ec8768f..de47edfd9 100644 --- a/minzip/SysUtil.c +++ b/minzip/SysUtil.c @@ -8,6 +8,7 @@ #include <fcntl.h> #include <limits.h> #include <stdbool.h> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -39,6 +40,11 @@ static bool sysMapFD(int fd, MemMapping* pMap) { pMap->length = sb.st_size; pMap->range_count = 1; pMap->ranges = malloc(sizeof(MappedRange)); + if (pMap->ranges == NULL) { + LOGE("malloc failed: %s\n", strerror(errno)); + munmap(memPtr, sb.st_size); + return false; + } pMap->ranges[0].addr = memPtr; pMap->ranges[0].length = sb.st_size; @@ -50,7 +56,7 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap) char block_dev[PATH_MAX+1]; size_t size; unsigned int blksize; - unsigned int blocks; + size_t blocks; unsigned int range_count; unsigned int i; @@ -69,49 +75,80 @@ static int sysMapBlockFile(FILE* mapf, MemMapping* pMap) LOGE("failed to parse block map header\n"); return -1; } - - blocks = ((size-1) / blksize) + 1; + if (blksize != 0) { + blocks = ((size-1) / blksize) + 1; + } + if (size == 0 || blksize == 0 || blocks > SIZE_MAX / blksize || range_count == 0) { + LOGE("invalid data in block map file: size %zu, blksize %u, range_count %u\n", + size, blksize, range_count); + return -1; + } pMap->range_count = range_count; - pMap->ranges = malloc(range_count * sizeof(MappedRange)); - memset(pMap->ranges, 0, range_count * sizeof(MappedRange)); + pMap->ranges = calloc(range_count, sizeof(MappedRange)); + if (pMap->ranges == NULL) { + LOGE("calloc(%u, %zu) failed: %s\n", range_count, sizeof(MappedRange), strerror(errno)); + return -1; + } // Reserve enough contiguous address space for the whole file. unsigned char* reserve; reserve = mmap64(NULL, blocks * blksize, PROT_NONE, MAP_PRIVATE | MAP_ANON, -1, 0); if (reserve == MAP_FAILED) { LOGE("failed to reserve address space: %s\n", strerror(errno)); + free(pMap->ranges); return -1; } - pMap->ranges[range_count-1].addr = reserve; - pMap->ranges[range_count-1].length = blocks * blksize; - int fd = open(block_dev, O_RDONLY); if (fd < 0) { LOGE("failed to open block device %s: %s\n", block_dev, strerror(errno)); + munmap(reserve, blocks * blksize); + free(pMap->ranges); return -1; } unsigned char* next = reserve; + size_t remaining_size = blocks * blksize; + bool success = true; for (i = 0; i < range_count; ++i) { - int start, end; - if (fscanf(mapf, "%d %d\n", &start, &end) != 2) { + size_t start, end; + if (fscanf(mapf, "%zu %zu\n", &start, &end) != 2) { LOGE("failed to parse range %d in block map\n", i); - return -1; + success = false; + break; + } + size_t length = (end - start) * blksize; + if (end <= start || ((end - start) > SIZE_MAX / blksize) || length > remaining_size) { + LOGE("unexpected range in block map: %zu %zu\n", start, end); + success = false; + break; } - void* addr = mmap64(next, (end-start)*blksize, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)start)*blksize); + void* addr = mmap64(next, length, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, ((off64_t)(start*blksize))); if (addr == MAP_FAILED) { LOGE("failed to map block %d: %s\n", i, strerror(errno)); - return -1; + success = false; + break; } pMap->ranges[i].addr = addr; - pMap->ranges[i].length = (end-start)*blksize; + pMap->ranges[i].length = length; - next += pMap->ranges[i].length; + next += length; + remaining_size -= length; + } + if (success && remaining_size != 0) { + LOGE("ranges in block map are invalid: remaining_size = %zu\n", remaining_size); + success = false; + } + if (!success) { + close(fd); + munmap(reserve, blocks * blksize); + free(pMap->ranges); + return -1; } + close(fd); pMap->addr = reserve; pMap->length = size; @@ -134,6 +171,7 @@ int sysMapFile(const char* fn, MemMapping* pMap) if (sysMapBlockFile(mapf, pMap) != 0) { LOGE("Map of '%s' failed\n", fn); + fclose(mapf); return -1; } diff --git a/updater/updater.cpp b/updater/updater.cpp index 0f22e6d04..80e75037c 100644 --- a/updater/updater.cpp +++ b/updater/updater.cpp @@ -19,6 +19,8 @@ #include <stdlib.h> #include <string.h> +#include <string> + #include "edify/expr.h" #include "updater.h" #include "install.h" @@ -89,12 +91,11 @@ int main(int argc, char** argv) { return 4; } - char* script = reinterpret_cast<char*>(malloc(script_entry->uncompLen+1)); - if (!mzReadZipEntry(&za, script_entry, script, script_entry->uncompLen)) { + std::string script(script_entry->uncompLen, '\0'); + if (!mzReadZipEntry(&za, script_entry, &script[0], script_entry->uncompLen)) { printf("failed to read script from package\n"); return 5; } - script[script_entry->uncompLen] = '\0'; // Configure edify's functions. @@ -108,7 +109,7 @@ int main(int argc, char** argv) { Expr* root; int error_count = 0; - int error = parse_string(script, &root, &error_count); + int error = parse_string(script.c_str(), &root, &error_count); if (error != 0 || error_count > 0) { printf("%d parse errors\n", error_count); return 6; @@ -135,7 +136,7 @@ int main(int argc, char** argv) { State state; state.cookie = &updater_info; - state.script = script; + state.script = &script[0]; state.errmsg = NULL; char* result = Evaluate(&state, root); @@ -163,7 +164,5 @@ int main(int argc, char** argv) { mzCloseZipArchive(updater_info.package_zip); } sysReleaseMap(&map); - free(script); - return 0; } |