diff --git a/services/diffpatch/bzip2/lz4_adapter.cpp b/services/diffpatch/bzip2/lz4_adapter.cpp index 5ec2c8a10b50f896671dff95879b43e8ee693f4b..a3f26ab801f9d043efe81a4fdaef61abc2ae602f 100644 --- a/services/diffpatch/bzip2/lz4_adapter.cpp +++ b/services/diffpatch/bzip2/lz4_adapter.cpp @@ -112,16 +112,19 @@ int32_t Lz4FrameAdapter::WriteData(const BlockBuffer &srcData) { size_t blockSize = LZ4_BLOCK_SIZE(blockSizeID_); int32_t ret = 0; - if ((currDataSize_ + srcData.length) < inData_.size()) { - ret = memcpy_s(inData_.data() + currDataSize_, inData_.size(), srcData.buffer, srcData.length); + if (currDataSize_ < inData_.size() && srcData.length < (inData_.size() - currDataSize_)) { + ret = memcpy_s(inData_.data() + currDataSize_, inData_.size() - currDataSize_, srcData.buffer, srcData.length); if (ret != 0) { PATCH_LOGE("Failed to copy data "); return -1; } currDataSize_ += srcData.length; + } else if (currDataSize_ > inData_.size()) { + PATCH_LOGE("Failed to size currDataSize_ = %zu, inData_.size() = %zu", currDataSize_, inData_.size()); + return -1; } else { size_t hasCopyLen = inData_.size() - currDataSize_; - ret = memcpy_s(inData_.data() + currDataSize_, inData_.size(), srcData.buffer, hasCopyLen); + ret = memcpy_s(inData_.data() + currDataSize_, hasCopyLen, srcData.buffer, hasCopyLen); if (ret != 0) { PATCH_LOGE("Failed to copy data "); return -1; diff --git a/services/diffpatch/diff/blocks_diff.cpp b/services/diffpatch/diff/blocks_diff.cpp index 29d4fab20eb42018e07e29f4166330212d207009..b28be3b453dd820733877a0efd0bd64b1655b1ee 100644 --- a/services/diffpatch/diff/blocks_diff.cpp +++ b/services/diffpatch/diff/blocks_diff.cpp @@ -223,12 +223,13 @@ int32_t BlocksBufferDiff::WritePatchHeader(int64_t controlSize, int64_t diffDataSize, int64_t newSize, size_t &headerLen) { headerLen = std::char_traits::length(BSDIFF_MAGIC) + sizeof(int64_t) + sizeof(int64_t) + sizeof(int64_t); - if (patchData_.size() <= headerLen + offset_) { - PATCH_LOGE("Invalid patch size"); + if (headerLen >= patchData_.size() || offset_ >= (patchData_.size() - headerLen)) { + PATCH_LOGE("Invalid patch size headerLen = %zu, offset_ = %zu, patchData_.size = %zu", + headerLen, offset_, patchData_.size()); return -1; } - int32_t ret = memcpy_s(patchData_.data() + offset_, patchData_.size(), BSDIFF_MAGIC, + int32_t ret = memcpy_s(patchData_.data() + offset_, patchData_.size() - offset_, BSDIFF_MAGIC, std::char_traits::length(BSDIFF_MAGIC)); if (ret != 0) { PATCH_LOGE("Failed to copy magic"); diff --git a/services/diffpatch/diff/image_diff.cpp b/services/diffpatch/diff/image_diff.cpp index f36ea15b41ad6a4a3b6b454e95533aa3c9dc813f..116ba605c89cc71e7d7c32bd424505656cfe8b59 100644 --- a/services/diffpatch/diff/image_diff.cpp +++ b/services/diffpatch/diff/image_diff.cpp @@ -584,7 +584,12 @@ int32_t CompressedImageDiff::CompressData(Hpackage::PkgManager::FileInfoPtr info if ((start + outSize) > outData.size()) { outData.resize(IGMDIFF_LIMIT_UNIT * ((start + outSize) / IGMDIFF_LIMIT_UNIT + 1)); } - return memcpy_s(outData.data() + start, outData.size(), data.buffer, size); + if (memcpy_s(outData.data() + start, outData.size() - start, data.buffer, size) != EOK) { + PATCH_LOGE("Failed to memcpy_s data outData.size() = %zu size = %zu start = %zu", + outData.size(), size, start); + return -1; + } + return 0; }, nullptr); int32_t ret = pkgManager->CompressBuffer(info, {buffer.buffer, buffer.length}, stream1); if (ret != 0) { diff --git a/services/diffpatch/diff/update_diff.cpp b/services/diffpatch/diff/update_diff.cpp index bb35a11734046b0c5d519cd769d87dd52b32ecb7..4e841b3859f360a238c7ac72e0a3a1e25f1f88ce 100644 --- a/services/diffpatch/diff/update_diff.cpp +++ b/services/diffpatch/diff/update_diff.cpp @@ -111,7 +111,12 @@ int32_t ImageParser::Extract(const std::string &fileName, std::vector & if ((start + bufferSize) > buffer.size()) { buffer.resize(IGMDIFF_LIMIT_UNIT * ((start + bufferSize) / IGMDIFF_LIMIT_UNIT + 1)); } - return memcpy_s(buffer.data() + start, buffer.size(), data.buffer, size); + if (memcpy_s(buffer.data() + start, buffer.size() - start, data.buffer, size) != EOK) { + PATCH_LOGE("Failed to memcpy_s data buffer.size() = %zu size = %zu start = %zu", + buffer.size(), size, start); + return -1; + } + return 0; }, nullptr); if (ret != 0) { PATCH_LOGE("Failed to extract data"); diff --git a/services/flow_update/update_bin/bin_flow_update.cpp b/services/flow_update/update_bin/bin_flow_update.cpp index fbd469c732f0578e8320ab5e006b45aa9e12c1ab..1d288c1dfb14d24cf6d75ee445e9be655d7b92a9 100644 --- a/services/flow_update/update_bin/bin_flow_update.cpp +++ b/services/flow_update/update_bin/bin_flow_update.cpp @@ -91,8 +91,12 @@ int32_t BinFlowUpdate::StartBinFlowUpdate(uint8_t *data, uint32_t len) bool BinFlowUpdate::AddRemainData(uint8_t *data, uint32_t &len) { + if (curlen_ >= maxBufSize_) { + LOG(ERROR) << "curlen_ failed : curlen_ = " << curlen_ << "maxBufSize_ = " << maxBufSize_; + return false; + } uint32_t copySize = std::min(static_cast(len), static_cast(maxBufSize_ - curlen_)); - if (memcpy_s(buffer_ + curlen_, maxBufSize_, data, copySize) != EOK) { + if (memcpy_s(buffer_ + curlen_, maxBufSize_ - curlen_, data, copySize) != EOK) { LOG(ERROR) << "AddRemainData memcpy failed" << " : " << strerror(errno); return false; } diff --git a/services/log/log.cpp b/services/log/log.cpp index 00b3f8b444789e600372da9817728fedc1296c79..596032582fa079881ee3e4cf9917c52c1e7480e3 100644 --- a/services/log/log.cpp +++ b/services/log/log.cpp @@ -131,7 +131,7 @@ void Logger(int level, const char* fileName, int32_t line, const char* format, . std::vector buff(1024); // 1024 : max length of buff va_list list; va_start(list, format); - int size = vsnprintf_s(reinterpret_cast(buff.data()), buff.capacity(), buff.capacity(), format, list); + int size = vsnprintf_s(reinterpret_cast(buff.data()), buff.capacity(), buff.capacity() - 1, format, list); va_end(list); if (size < EOK) { UpdaterLogger(level).OutputUpdaterLog(fileName, line) << "vsnprintf_s failed"; diff --git a/services/package/pkg_package/pkg_upgradefile.cpp b/services/package/pkg_package/pkg_upgradefile.cpp index 7505889665661a13d895f91215f358d690d5ebea..73af79e6dfb684d862681d0fe2c4f795cb8aa74a 100644 --- a/services/package/pkg_package/pkg_upgradefile.cpp +++ b/services/package/pkg_package/pkg_upgradefile.cpp @@ -425,7 +425,8 @@ int32_t UpgradePkgFile::ReadPackageInfo(std::vector &signData, size_t & } } - ret = memset_s(buffer.buffer + UPGRADE_RESERVE_LEN, buffer.length, 0, GetUpgradeSignatureLen()); + ret = memset_s(buffer.buffer + UPGRADE_RESERVE_LEN, buffer.length - UPGRADE_RESERVE_LEN, + 0, GetUpgradeSignatureLen()); if (ret != EOK) { PKG_LOGE("memset buff fail"); UPDATER_LAST_WORD(PKG_NONE_MEMORY, "memset buff fail"); diff --git a/services/ptable_parse/ufs_ptable.cpp b/services/ptable_parse/ufs_ptable.cpp index a8078d1fd33b6eef19c9c1a46fb4a6497ec80d6d..48466868fc4434bfc7f13bd1170072ef1791b4ab 100644 --- a/services/ptable_parse/ufs_ptable.cpp +++ b/services/ptable_parse/ufs_ptable.cpp @@ -28,6 +28,8 @@ namespace Updater { constexpr const uint32_t LUN_FOR_SLOT_A = 3; constexpr const uint32_t LUN_FOR_SLOT_B = 4; +constexpr const uint32_t IMG_BLOCK_SIZE = 512; +constexpr const uint32_t DEVICE_BLOCK_SIZE = 4096; uint32_t UfsPtable::GetDeviceLunNum() { @@ -284,15 +286,16 @@ void UfsPtable::UfsPatchGptHeader(UfsPartitionDataInfo &ptnDataInfo, const uint3 // blocksize is 4096, lbaLen is 512. Because in ptable.img block is 512 while in device block is 4096 bool UfsPtable::ParsePartitionFromBuffer(uint8_t *ptbImgBuffer, const uint32_t imgBufSize) { - if (ptbImgBuffer == nullptr) { + if (ptbImgBuffer == nullptr || (imgBufSize < ptableData_.emmcGptDataLen + ptableData_.imgLuSize + + GetPtableExtraOffset())) { LOG(ERROR) << "input param invalid"; return false; } uint32_t imgBlockSize = ptableData_.lbaLen; // 512 uint32_t deviceBlockSize = GetDeviceBlockSize(); - if (imgBufSize < ptableData_.emmcGptDataLen + ptableData_.imgLuSize + GetPtableExtraOffset()) { - LOG(ERROR) << "input param invalid imgBufSize"; + if (deviceBlockSize != IMG_BLOCK_SIZE && deviceBlockSize != DEVICE_BLOCK_SIZE) { + LOG(ERROR) << "deviceBlockSize fail:" << deviceBlockSize; return false; } @@ -565,7 +568,13 @@ bool UfsPtable::CorrectBufByPtnList(uint8_t *imageBuf, uint64_t imgBufSize, cons } std::copy(newEntryBuf.begin(), newEntryBuf.end(), newBuf.begin() + srcInfo[i].gptEntryBufOffset); } - if (memcpy_s(ufsLunEntryStart, imgBufSize - (ufsLunEntryStart - imageBuf), newBuf.data(), editLen) != 0) { + uint64_t offset = static_cast(ufsLunEntryStart - imageBuf); + if (imageBuf > ufsLunEntryStart || offset >= imgBufSize) { + LOG(ERROR) << "memcpy size fail imageBuf" << imageBuf << "ufsLunEntryStart" << ufsLunEntryStart + << "imgBufSize" << imgBufSize; + return false; + } + if (memcpy_s(ufsLunEntryStart, imgBufSize - offset, newBuf.data(), editLen) != 0) { LOG(ERROR) << "memcpy fail. destSize :" << imgBufSize - (ufsLunEntryStart - imageBuf); return false; } diff --git a/utils/utils.cpp b/utils/utils.cpp index 981ad9bf81be94b41b9f78a6f8befa24f39d5a10..128e866fc9ffb28dad369907ee95afa67a21cd4d 100644 --- a/utils/utils.cpp +++ b/utils/utils.cpp @@ -200,20 +200,19 @@ std::string ConvertSha256Hex(const uint8_t* shaDigest, size_t length) bool SetRebootMisc(const std::string& rebootTarget, const std::string &extData, struct UpdateMessage &msg) { - static const int32_t maxCommandSize = 16; int result = 0; if (rebootTarget == "updater" && strcmp(msg.command, "boot_updater") != 0) { - result = strcpy_s(msg.command, maxCommandSize, "boot_updater"); + result = strcpy_s(msg.command, MAX_COMMAND_SIZE, "boot_updater"); } else if (rebootTarget == "flashd" && strcmp(msg.command, "flashd") != 0) { - result = strcpy_s(msg.command, maxCommandSize, "boot_flash"); + result = strcpy_s(msg.command, MAX_COMMAND_SIZE, "boot_flash"); } else if (rebootTarget == "bootloader" && strcmp(msg.command, "boot_loader") != 0) { - result = strcpy_s(msg.command, maxCommandSize, "boot_loader"); + result = strcpy_s(msg.command, MAX_COMMAND_SIZE, "boot_loader"); } if (result != EOK) { LOG(ERROR) << "reboot set misc strcpy failed"; return false; } - msg.command[maxCommandSize] = 0; + msg.command[MAX_COMMAND_SIZE - 1] = 0; if (extData.empty()) { (void)memset_s(msg.update, sizeof(msg.update), 0, sizeof(msg.update)); return true;