Problem Description:
The implementation of bspatch does not check for a
negative value on numbers of bytes read from the diff and
extra streams, allowing an attacker who can control the
patch file to write at arbitrary locations in the heap.
This issue was first discovered by The Chromium Project
and reported independently by Lu Tung-Pin to the FreeBSD
project.
Impact:
An attacker who can control the patch file can cause a
crash or run arbitrary code under the credentials of the
user who runs bspatch, in many cases, root.