According to the ZIP spec, the values are suppose to be unsigned (
http://www.pkware.com/documents/casestudies/APPNOTE.TXT sections 4.3.12 and
4.4.1.1). The bug was interpreting those fields as a signed value instead
of an unsigned value. A negative { namelen, extralen, or bytecount }
doesn't make any sense - how do you have a negative length?
It's perfectly legal, according to the ZIP standard, to have a { namelen,
extralen, or bytecount } of length 65534.
-- Nick
On Fri, Jul 12, 2013 at 10:24 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> Hi All,
>
> I was reading through Bug 9695860 write up (available at
>
> http://www.androidpolice.com/2013/07/11/second-all-access-apk-exploit-is-revealed-just-two-days-after-master-key-goes-public-already-patched-by-google/
> ).
>
> Am I the only guy scratching my head in disbelief in AOSP's
> unwillingness to validate fields properly? What's with the stupid
> programmer tricks of forcing a negative value to positive? Those silly
> tricks just turned -2 into 65534, which is still probably incorrect.
> Is there any reason an APK is not rejected as malformed?
>
> Jeff
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to android-security-discuss+unsubscr...@googlegroups.com.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/android-security-discuss.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
Nick Kralevich | Android Security | n...@google.com | 650.214.4037
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/groups/opt_out.
