fix patching issues with corrupt patchfiles

2025-10-02 09:52:27 -04:00 · 2007-03-21 23:08:57 +00:00 · 2007-03-21 23:08:57 +00:00 · 863fdd7449
commit 863fdd7449
parent 5179b6de77
2 changed files with 41 additions and 0 deletions
--- a/panda/src/downloader/httpChannel.cxx
+++ b/panda/src/downloader/httpChannel.cxx
@ -2099,6 +2099,7 @@ run_download_to_file() {

  if (_body_stream->is_closed()) {
    // Done.
+    _download_to_file.close();
    _started_download = false;
    return false;
  } else {
--- a/panda/src/express/patchfile.cxx
+++ b/panda/src/express/patchfile.cxx
@ -295,9 +295,19 @@ run() {
    // read # of ADD bytes
    nassertr(_buffer->get_length() >= (int)sizeof(ADD_length), false);
    ADD_length = patch_reader.get_uint16();
+    if (_patch_stream.fail()) {
+      express_cat.error()
+        << "Truncated patch file.\n";
+      return EU_error_file_invalid;
+    }

    bytes_read += (int)ADD_length;
    _total_bytes_processed += (int)ADD_length;
+    if (_total_bytes_processed > _total_bytes_to_process) {
+      express_cat.error()
+        << "Runaway patch file.\n";
+      return EU_error_file_invalid;
+    }

    // if there are bytes to add, read them from patch file and write them to output
    if (express_cat.is_spam() && ADD_length != 0) {
@ -310,6 +320,11 @@ run() {
    while (bytes_left > 0) {
      PN_uint32 bytes_this_time = (PN_uint32) min(bytes_left, (PN_uint32) buflen);
      _patch_stream.read(_buffer->_buffer, bytes_this_time);
+      if (_patch_stream.fail()) {
+        express_cat.error()
+          << "Truncated patch file.\n";
+        return EU_error_file_invalid;
+      }
      _write_stream.write(_buffer->_buffer, bytes_this_time);
      bytes_left -= bytes_this_time;
    }
@ -318,15 +333,30 @@ run() {
    // read # of COPY bytes
    nassertr(_buffer->get_length() >= (int)sizeof(COPY_length), false);
    COPY_length = patch_reader.get_uint16();
+    if (_patch_stream.fail()) {
+      express_cat.error()
+        << "Truncated patch file.\n";
+      return EU_error_file_invalid;
+    }

    bytes_read += (int)COPY_length;
    _total_bytes_processed += (int)COPY_length;
+    if (_total_bytes_processed > _total_bytes_to_process) {
+      express_cat.error()
+        << "Runaway patch file.\n";
+      return EU_error_file_invalid;
+    }

    // if there are bytes to copy, read them from original file and write them to output
    if (0 != COPY_length) {
      // read copy offset
      nassertr(_buffer->get_length() >= (int)sizeof(COPY_offset), false);
      COPY_offset = patch_reader.get_int32();
+      if (_patch_stream.fail()) {
+        express_cat.error()
+          << "Truncated patch file.\n";
+        return EU_error_file_invalid;
+      }

      // seek to the copy source pos
      if (_version_number < 2) {
@ -334,6 +364,11 @@ run() {
      } else {
        _origfile_stream.seekg(COPY_offset, ios::cur);
      }
+      if (_origfile_stream.fail()) {
+        express_cat.error()
+          << "Invalid copy offset in patch file.\n";
+        return EU_error_file_invalid;
+      }

      if (express_cat.is_spam()) {
        express_cat.spam()
@ -349,6 +384,11 @@ run() {
      while (bytes_left > 0) {
        PN_uint32 bytes_this_time = (PN_uint32) min(bytes_left, (PN_uint32) buflen);
        _origfile_stream.read(_buffer->_buffer, bytes_this_time);
+        if (_origfile_stream.fail()) {
+          express_cat.error()
+            << "Invalid copy length in patch file.\n";
+          return EU_error_file_invalid;
+        }
        _write_stream.write(_buffer->_buffer, bytes_this_time);
        bytes_left -= bytes_this_time;
      }