From 41cf35f8b2795276280572cf4d06c58954d45ca4 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Tue, 24 Apr 2018 10:54:21 -0700 Subject: [PATCH] fastboot: sparse_file_len() returns int64_t. Check that the value fits in uint32_t that's supported by the current protocol. Also fix and sanity check the max_size before passing it to sparse_file_resparse(), which accepts `unsigned int`. This shouldn't happen in practice because of RESPARSE_LIMIT (1 GiB). Test: `fastboot flash` with small and large images. Change-Id: I0a8279fc14c54c40a70ddce65c3b25173c0d0a40 --- fastboot/fastboot.cpp | 6 +++++- fastboot/protocol.cpp | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp index 780ff50db..51b3f0c06 100644 --- a/fastboot/fastboot.cpp +++ b/fastboot/fastboot.cpp @@ -693,10 +693,14 @@ static void queue_info_dump() { fb_queue_notice("--------------------------------------------"); } -static struct sparse_file** load_sparse_files(int fd, int max_size) { +static struct sparse_file** load_sparse_files(int fd, int64_t max_size) { struct sparse_file* s = sparse_file_import_auto(fd, false, true); if (!s) die("cannot sparse read file"); + if (max_size <= 0 || max_size > std::numeric_limits::max()) { + die("invalid max size %" PRId64, max_size); + } + int files = sparse_file_resparse(s, max_size, nullptr, 0); if (files < 0) die("Failed to resparse"); diff --git a/fastboot/protocol.cpp b/fastboot/protocol.cpp index a08956749..7a333ee06 100644 --- a/fastboot/protocol.cpp +++ b/fastboot/protocol.cpp @@ -344,12 +344,12 @@ static int fb_download_data_sparse_flush(Transport* transport) { } int fb_download_data_sparse(Transport* transport, struct sparse_file* s) { - int size = sparse_file_len(s, true, false); - if (size <= 0) { + int64_t size = sparse_file_len(s, true, false); + if (size <= 0 || size > std::numeric_limits::max()) { return -1; } - std::string cmd(android::base::StringPrintf("download:%08x", size)); + std::string cmd(android::base::StringPrintf("download:%08" PRIx64, size)); int r = _command_start(transport, cmd, size, 0); if (r < 0) { return -1;