DO NOT MERGE: Initialize the ZipArchive to zero before parsingandroid-7.1.2_r39android-7.1.2_r38android-7.1.2_r37nougat-mr2-security-release

The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.

Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
(cherry picked from commit 2050579b79f495832ec8aa11655a809d87bfc8e3)

2 files changed, 2 insertions, 2 deletions

diff --git a/install.cpp b/install.cpp
index e144d9b2..c3174a24 100644
--- a/install.cpp
+++ b/install.cpp
@@ -489,7 +489,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount,
     }
 
     // Try to open the package.
-    ZipArchive zip;
+    ZipArchive zip = {};
     int err = mzOpenZipArchive(map.addr, map.length, &zip);
     if (err != 0) {
         LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
diff --git a/updater/updater.cpp b/updater/updater.cpp
index e956dd55..96755735 100644
--- a/updater/updater.cpp
+++ b/updater/updater.cpp
@@ -77,7 +77,7 @@ int main(int argc, char** argv) {
         printf("failed to map package %s\n", argv[3]);
         return 3;
     }
-    ZipArchive za;
+    ZipArchive za = {};
     int err;
     err = mzOpenZipArchive(map.addr, map.length, &za);
     if (err != 0) {