From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
From: Andrea Marchesini <amarchesini@mozilla.com>
Date: Thu, 4 Jun 2015 15:04:10 +0100
Subject: [PATCH] Bug 1166900 - Better string length check in
 nsZipArchive::GetDataOffset. r+a=dveditz

---
 dom/file/ArchiveZipFile.cpp     |  6 ++++--
 modules/libjar/nsZipArchive.cpp | 15 +++++++++------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
index c206b64..d28b5ba 100644
--- a/dom/file/ArchiveZipFile.cpp
+++ b/dom/file/ArchiveZipFile.cpp
@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
   uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
 
   // The file is corrupt
-  if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
+  if (mData.parentSize < ZIPLOCAL_SIZE ||
+      offset > mData.parentSize - ZIPLOCAL_SIZE) {
     return NS_ERROR_UNEXPECTED;
   }
 
@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
             ArchiveZipItem::StrToInt16(local.extrafield_len);
 
   // The file is corrupt if there is not enough data
-  if (offset + mData.sizeToBeRead > mData.parentSize) {
+  if (mData.parentSize < mData.sizeToBeRead ||
+      offset > mData.parentSize - mData.sizeToBeRead) {
     return NS_ERROR_UNEXPECTED;
   }
 
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
index f8af715..5ec8225 100644
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
     uint16_t namelen = xtoint(central->filename_len);
     uint16_t extralen = xtoint(central->extrafield_len);
     uint16_t commentlen = xtoint(central->commentfield_len);
-
-    // Point to the next item at the top of loop
-    buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
+    uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
 
     // Sanity check variable sizes and refuse to deal with
     // anything too big: it's likely a corrupt archive.
     if (namelen < 1 ||
         namelen > kMaxNameLength ||
-        buf >= endp) {
+        buf >= buf + diff || // No overflow
+        buf >= endp - diff) {
       return NS_ERROR_FILE_CORRUPTED;
     }
 
+    // Point to the next item at the top of loop
+    buf += diff;
+
     nsZipItem* item = CreateZipItem();
     if (!item)
       return NS_ERROR_OUT_OF_MEMORY;
@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
   uint32_t len = mFd->mLen;
   const uint8_t* data = mFd->mFileData;
   uint32_t offset = aItem->LocalOffset();
-  if (offset + ZIPLOCAL_SIZE > len)
+  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
     return nullptr;
 
   // -- check signature before using the structure, in case the zip file is corrupt
@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
             xtoint(Local->extrafield_len);
 
   // -- check if there is enough source data in the file
-  if (offset + aItem->Size() > len)
+  if (len < aItem->Size() ||
+      offset > len - aItem->Size())
     return nullptr;
 
   return data + offset;
-- 
2.4.3