commit 840a7eae5a6d8250490e8ea430193531f0c4ccd6
author Sen Jiang <senj@google.com> Wed Sep 19 14:29:44 2018 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Sat Oct 20 00:18:31 2018 +0000
tree 2e832fa33f6249e11659f1eeae0255fe37fc8b56
parent da851450dfc625719754af022c38f91a97838c93

Check metadata size in payload.

Detect overflow for unsigned integer addition.

Bug: 113118184
Test: manual test with a hand crafted payload
Change-Id: I0155de49c241c392fb74f3d830ceebdb4174f872
(cherry picked from commit 08769f9c05199f96b257eded926975fd83c6edbf)
(cherry picked from commit 3e9410898d2687d7df3bdb03c6830d3ec428c2c6)

update_attempter_android.cc

diff --git a/update_attempter_android.cc b/update_attempter_android.cc
index 04ccb18..406e40a 100644
--- a/update_attempter_android.cc
+++ b/update_attempter_android.cc
@@ -357,14 +357,17 @@
                           "Failed to parse payload header: " +
                               utils::ErrorCodeToString(errorcode));
   }
-  metadata.resize(payload_metadata.GetMetadataSize() +
-                  payload_metadata.GetMetadataSignatureSize());
-  if (metadata.size() < kMaxPayloadHeaderSize) {
+  uint64_t metadata_size = payload_metadata.GetMetadataSize() +
+                           payload_metadata.GetMetadataSignatureSize();
+  if (metadata_size < kMaxPayloadHeaderSize ||
+      metadata_size >
+          static_cast<uint64_t>(utils::FileSize(metadata_filename))) {
     return LogAndSetError(
         error,
         FROM_HERE,
-        "Metadata size too small: " + std::to_string(metadata.size()));
+        "Invalid metadata size: " + std::to_string(metadata_size));
   }
+  metadata.resize(metadata_size);
   if (!fd->Read(metadata.data() + kMaxPayloadHeaderSize,
                 metadata.size() - kMaxPayloadHeaderSize)) {
     return LogAndSetError(