87 lines
3.0 KiB
Diff
87 lines
3.0 KiB
Diff
From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
|
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
|
Date: Thu, 4 Jun 2015 15:04:10 +0100
|
|
Subject: [PATCH] Bug 1166900 - Better string length check in
|
|
nsZipArchive::GetDataOffset. r+a=dveditz
|
|
|
|
---
|
|
dom/file/ArchiveZipFile.cpp | 6 ++++--
|
|
modules/libjar/nsZipArchive.cpp | 15 +++++++++------
|
|
2 files changed, 13 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
|
|
index c206b64..d28b5ba 100644
|
|
--- a/dom/file/ArchiveZipFile.cpp
|
|
+++ b/dom/file/ArchiveZipFile.cpp
|
|
@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
|
|
uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
|
|
|
|
// The file is corrupt
|
|
- if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
|
|
+ if (mData.parentSize < ZIPLOCAL_SIZE ||
|
|
+ offset > mData.parentSize - ZIPLOCAL_SIZE) {
|
|
return NS_ERROR_UNEXPECTED;
|
|
}
|
|
|
|
@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
|
|
ArchiveZipItem::StrToInt16(local.extrafield_len);
|
|
|
|
// The file is corrupt if there is not enough data
|
|
- if (offset + mData.sizeToBeRead > mData.parentSize) {
|
|
+ if (mData.parentSize < mData.sizeToBeRead ||
|
|
+ offset > mData.parentSize - mData.sizeToBeRead) {
|
|
return NS_ERROR_UNEXPECTED;
|
|
}
|
|
|
|
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
|
|
index f8af715..5ec8225 100644
|
|
--- a/modules/libjar/nsZipArchive.cpp
|
|
+++ b/modules/libjar/nsZipArchive.cpp
|
|
@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
|
|
uint16_t namelen = xtoint(central->filename_len);
|
|
uint16_t extralen = xtoint(central->extrafield_len);
|
|
uint16_t commentlen = xtoint(central->commentfield_len);
|
|
-
|
|
- // Point to the next item at the top of loop
|
|
- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
|
|
+ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
|
|
|
|
// Sanity check variable sizes and refuse to deal with
|
|
// anything too big: it's likely a corrupt archive.
|
|
if (namelen < 1 ||
|
|
namelen > kMaxNameLength ||
|
|
- buf >= endp) {
|
|
+ buf >= buf + diff || // No overflow
|
|
+ buf >= endp - diff) {
|
|
return NS_ERROR_FILE_CORRUPTED;
|
|
}
|
|
|
|
+ // Point to the next item at the top of loop
|
|
+ buf += diff;
|
|
+
|
|
nsZipItem* item = CreateZipItem();
|
|
if (!item)
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
|
|
uint32_t len = mFd->mLen;
|
|
const uint8_t* data = mFd->mFileData;
|
|
uint32_t offset = aItem->LocalOffset();
|
|
- if (offset + ZIPLOCAL_SIZE > len)
|
|
+ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
|
|
return nullptr;
|
|
|
|
// -- check signature before using the structure, in case the zip file is corrupt
|
|
@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
|
|
xtoint(Local->extrafield_len);
|
|
|
|
// -- check if there is enough source data in the file
|
|
- if (offset + aItem->Size() > len)
|
|
+ if (len < aItem->Size() ||
|
|
+ offset > len - aItem->Size())
|
|
return nullptr;
|
|
|
|
return data + offset;
|
|
--
|
|
2.4.3
|
|
|