diff --git a/test/unittest/code_sign_utils_test.cpp b/test/unittest/code_sign_utils_test.cpp
index aec1406ec618d20ae9bcac7c8b184aac95e9e1ce..f33966fa710eab720cfae4617e023968ffedb4cd 100644
--- a/test/unittest/code_sign_utils_test.cpp
+++ b/test/unittest/code_sign_utils_test.cpp
@@ -850,6 +850,24 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0036, TestSize.Level0)
EXPECT_EQ(CodeSignUtils::IsSupportOHCodeSign(), false);
#endif
}
+
+/**
+ * @tc.name: CodeSignUtilsTest_0037
+ * @tc.desc: succ with signature in enforcing mode
+ * @tc.type: Func
+ * @tc.require: I8R8V7
+ */
+HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0037, TestSize.Level0)
+{
+ if (CodeSignUtils::InPermissiveMode()) {
+ return;
+ }
+ std::string hapRealPath = APP_BASE_PATH + "/demo_without_lib_signed/demo_without_lib_signed.hap";
+ EntryMap entryMap;
+ CodeSignUtils utils;
+ int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF);
+ EXPECT_EQ(ret, CS_SUCCESS);
+}
} // namespace CodeSign
} // namespace Security
} // namespace OHOS
diff --git a/test/unittest/resources/demo_without_lib/demo_without_lib_signed.hap b/test/unittest/resources/demo_without_lib/demo_without_lib_signed.hap
new file mode 100644
index 0000000000000000000000000000000000000000..31617ef38fbcebb92172f0e5c685a3b6fd174626
Binary files /dev/null and b/test/unittest/resources/demo_without_lib/demo_without_lib_signed.hap differ
diff --git a/test/unittest/resources/ohos_test.xml b/test/unittest/resources/ohos_test.xml
index da298c5efd5343106f3924226bf40e8ec710be52..142566ea3fa226f2a3e306bbc954b144745384b9 100644
--- a/test/unittest/resources/ohos_test.xml
+++ b/test/unittest/resources/ohos_test.xml
@@ -26,6 +26,7 @@
+
diff --git a/utils/src/code_sign_block.cpp b/utils/src/code_sign_block.cpp
index 34b22a8111ed2caf3f4eab75fd221a17fab91cbd..32cefb9325c3480707c1461ca18ad51969ddd1e4 100644
--- a/utils/src/code_sign_block.cpp
+++ b/utils/src/code_sign_block.cpp
@@ -210,7 +210,7 @@ int32_t CodeSignBlock::ParseCodeSignBlockBaseInfo(ReadBuffer codeSignBlock, uint
if (segHeader->type != CSB_FSVERITY_INFO_SEG) {
return CS_ERR_SEGMENT_FSVERITY_TYPE;
}
- if (segHeader->offset >= blockSize) {
+ if ((segHeader->offset >= blockSize) || (sizeof(FsVerityInfo) >= (blockSize - segHeader->offset))) {
return CS_ERR_SEGMENT_FSVERITY_OFFSET;
}
ret = SetFsVerityInfo(CONST_STATIC_CAST(FsVerityInfo, codeSignBlock + segHeader->offset));
@@ -222,7 +222,7 @@ int32_t CodeSignBlock::ParseCodeSignBlockBaseInfo(ReadBuffer codeSignBlock, uint
if (segHeader->type != CSB_HAP_META_SEG) {
return CS_ERR_SEGMENT_HAP_TYPE;
}
- if (segHeader->offset >= blockSize) {
+ if ((segHeader->offset >= blockSize) || (sizeof(HapSignInfo) >= (blockSize - segHeader->offset))) {
return CS_ERR_SEGMENT_HAP_OFFSET;
}
ret = SetHapSignInfo(CONST_STATIC_CAST(HapSignInfo, codeSignBlock + segHeader->offset));
@@ -234,7 +234,7 @@ int32_t CodeSignBlock::ParseCodeSignBlockBaseInfo(ReadBuffer codeSignBlock, uint
if (segHeader->type != CSB_NATIVE_LIB_INFO_SEG) {
return CS_ERR_SEGMENT_SO_TYPE;
}
- if (segHeader->offset >= blockSize) {
+ if ((segHeader->offset >= blockSize) || (sizeof(NativeLibSignInfo) > (blockSize - segHeader->offset))) {
return CS_ERR_SEGMENT_SO_OFFSET;
}
return SetNativeLibSignInfo(CONST_STATIC_CAST(NativeLibSignInfo, codeSignBlock + segHeader->offset));
@@ -273,6 +273,9 @@ int32_t CodeSignBlock::GetCodeSignBlockBuffer(const std::string &path, ReadBuffe
if (blobHeader->type == HAP_CODE_SIGN_BLOCK_ID) {
signBlockBuffer = CONST_STATIC_CAST(char, blobHeader) + sizeof(PropertyBlobHeader);
signBlockSize = blobHeader->size;
+ if ((signBlockSize > blobSize) || ((signBlockBuffer - blobBuffer) > (blobSize - signBlockSize))) {
+ return CS_ERR_BLOCK_SIZE;
+ }
break;
}
length += blobHeader->size + sizeof(PropertyBlobHeader);