diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2736.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2736.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2736.patch b/gnu/packages/patches/icecat-CVE-2015-2736.patch new file mode 100644 index 0000000000..a59cc64d10 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2736.patch @@ -0,0 +1,34 @@ +From 6daa986c7fdf27835a0f5d897c88f6b8dc42b8db Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Thu, 4 Jun 2015 15:04:10 +0100 +Subject: [PATCH] Bug 1167888 - Better string length check in + nsZipArchive::BuildFileList. r=smaug, a=dveditz + +--HG-- +extra : transplant_source : %5E6%3E%84%B6a%7F%1F%D21zGc%BD%E1%80%EF%0C%B5%F0 +--- + modules/libjar/nsZipArchive.cpp | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp +index cb3e5d0..f8af715 100644 +--- a/modules/libjar/nsZipArchive.cpp ++++ b/modules/libjar/nsZipArchive.cpp +@@ -617,8 +617,13 @@ MOZ_WIN_MEM_TRY_BEGIN + if (!centralOffset) + return NS_ERROR_FILE_CORRUPTED; + +- //-- Read the central directory headers + buf = startp + centralOffset; ++ ++ // avoid overflow of startp + centralOffset. ++ if (buf < startp) ++ return NS_ERROR_FILE_CORRUPTED; ++ ++ //-- Read the central directory headers + uint32_t sig = 0; + while (buf + int32_t(sizeof(uint32_t)) <= endp && + (sig = xtolong(buf)) == CENTRALSIG) { +-- +2.4.3 + |