diff options
author | Tianjie Xu <xunchang@google.com> | 2018-09-07 15:24:58 -0700 |
---|---|---|
committer | Rohit Yengisetty <rngy@google.com> | 2018-10-16 16:08:54 -0700 |
commit | eda48f8f099aaf53c57ca7fbea3a0b8a1db025f1 (patch) | |
tree | 7d962468955fc1d6d67f1e13a9020b9ed81c7f2b | |
parent | f1278966750d17e2be69ced79396cdd3ffab3e94 (diff) | |
download | recovery-nougat-mr2-security-release.tar.gz |
DO NOT MERGE: Initialize the ZipArchive to zero before parsingandroid-7.1.2_r39android-7.1.2_r38android-7.1.2_r37nougat-mr2-security-release
The fields of the ZipArchive on the stack are not initialized before we
call libminzip to parse the zip file. As a result, some random memory
location is freed unintentionally when we close the ZipArchive upon
parsing failures.
Bug: 35385357
Test: recompile and run the poc with asan.
Change-Id: I7e7f8ab4816c84a158af7389e1a889f8fc65f079
(cherry picked from commit 2050579b79f495832ec8aa11655a809d87bfc8e3)
-rw-r--r-- | install.cpp | 2 | ||||
-rw-r--r-- | updater/updater.cpp | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/install.cpp b/install.cpp index e144d9b2..c3174a24 100644 --- a/install.cpp +++ b/install.cpp @@ -489,7 +489,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount, } // Try to open the package. - ZipArchive zip; + ZipArchive zip = {}; int err = mzOpenZipArchive(map.addr, map.length, &zip); if (err != 0) { LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad"); diff --git a/updater/updater.cpp b/updater/updater.cpp index e956dd55..96755735 100644 --- a/updater/updater.cpp +++ b/updater/updater.cpp @@ -77,7 +77,7 @@ int main(int argc, char** argv) { printf("failed to map package %s\n", argv[3]); return 3; } - ZipArchive za; + ZipArchive za = {}; int err; err = mzOpenZipArchive(map.addr, map.length, &za); if (err != 0) { |