1 files changed, 86 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch
new file mode 100644
index 0000000000..fd39bde113
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-2735.patch
@@ -0,0 +1,86 @@
+From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
+From: Andrea Marchesini <amarchesini@mozilla.com>
+Date: Thu, 4 Jun 2015 15:04:10 +0100
+Subject: [PATCH] Bug 1166900 - Better string length check in
+ nsZipArchive::GetDataOffset. r+a=dveditz
+
+---
+ dom/file/ArchiveZipFile.cpp     |  6 ++++--
+ modules/libjar/nsZipArchive.cpp | 15 +++++++++------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
+index c206b64..d28b5ba 100644
+--- a/dom/file/ArchiveZipFile.cpp
++++ b/dom/file/ArchiveZipFile.cpp
+@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
+   uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
+ 
+   // The file is corrupt
+-  if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
++  if (mData.parentSize < ZIPLOCAL_SIZE ||
++      offset > mData.parentSize - ZIPLOCAL_SIZE) {
+     return NS_ERROR_UNEXPECTED;
+   }
+ 
+@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
+             ArchiveZipItem::StrToInt16(local.extrafield_len);
+ 
+   // The file is corrupt if there is not enough data
+-  if (offset + mData.sizeToBeRead > mData.parentSize) {
++  if (mData.parentSize < mData.sizeToBeRead ||
++      offset > mData.parentSize - mData.sizeToBeRead) {
+     return NS_ERROR_UNEXPECTED;
+   }
+ 
+diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
+index f8af715..5ec8225 100644
+--- a/modules/libjar/nsZipArchive.cpp
++++ b/modules/libjar/nsZipArchive.cpp
+@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
+     uint16_t namelen = xtoint(central->filename_len);
+     uint16_t extralen = xtoint(central->extrafield_len);
+     uint16_t commentlen = xtoint(central->commentfield_len);
+-
+-    // Point to the next item at the top of loop
+-    buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
++    uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
+ 
+     // Sanity check variable sizes and refuse to deal with
+     // anything too big: it's likely a corrupt archive.
+     if (namelen < 1 ||
+         namelen > kMaxNameLength ||
+-        buf >= endp) {
++        buf >= buf + diff || // No overflow
++        buf >= endp - diff) {
+       return NS_ERROR_FILE_CORRUPTED;
+     }
+ 
++    // Point to the next item at the top of loop
++    buf += diff;
++
+     nsZipItem* item = CreateZipItem();
+     if (!item)
+       return NS_ERROR_OUT_OF_MEMORY;
+@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
+   uint32_t len = mFd->mLen;
+   const uint8_t* data = mFd->mFileData;
+   uint32_t offset = aItem->LocalOffset();
+-  if (offset + ZIPLOCAL_SIZE > len)
++  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
+     return nullptr;
+ 
+   // -- check signature before using the structure, in case the zip file is corrupt
+@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
+             xtoint(Local->extrafield_len);
+ 
+   // -- check if there is enough source data in the file
+-  if (offset + aItem->Size() > len)
++  if (len < aItem->Size() ||
++      offset > len - aItem->Size())
+     return nullptr;
+ 
+   return data + offset;
+-- 
+2.4.3
+