1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
From: Andrea Marchesini <amarchesini@mozilla.com>
Date: Thu, 4 Jun 2015 15:04:10 +0100
Subject: [PATCH] Bug 1166900 - Better string length check in
nsZipArchive::GetDataOffset. r+a=dveditz
---
dom/file/ArchiveZipFile.cpp | 6 ++++--
modules/libjar/nsZipArchive.cpp | 15 +++++++++------
2 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
index c206b64..d28b5ba 100644
--- a/dom/file/ArchiveZipFile.cpp
+++ b/dom/file/ArchiveZipFile.cpp
@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
// The file is corrupt
- if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
+ if (mData.parentSize < ZIPLOCAL_SIZE ||
+ offset > mData.parentSize - ZIPLOCAL_SIZE) {
return NS_ERROR_UNEXPECTED;
}
@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
ArchiveZipItem::StrToInt16(local.extrafield_len);
// The file is corrupt if there is not enough data
- if (offset + mData.sizeToBeRead > mData.parentSize) {
+ if (mData.parentSize < mData.sizeToBeRead ||
+ offset > mData.parentSize - mData.sizeToBeRead) {
return NS_ERROR_UNEXPECTED;
}
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
index f8af715..5ec8225 100644
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
uint16_t namelen = xtoint(central->filename_len);
uint16_t extralen = xtoint(central->extrafield_len);
uint16_t commentlen = xtoint(central->commentfield_len);
-
- // Point to the next item at the top of loop
- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
+ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
// Sanity check variable sizes and refuse to deal with
// anything too big: it's likely a corrupt archive.
if (namelen < 1 ||
namelen > kMaxNameLength ||
- buf >= endp) {
+ buf >= buf + diff || // No overflow
+ buf >= endp - diff) {
return NS_ERROR_FILE_CORRUPTED;
}
+ // Point to the next item at the top of loop
+ buf += diff;
+
nsZipItem* item = CreateZipItem();
if (!item)
return NS_ERROR_OUT_OF_MEMORY;
@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
uint32_t len = mFd->mLen;
const uint8_t* data = mFd->mFileData;
uint32_t offset = aItem->LocalOffset();
- if (offset + ZIPLOCAL_SIZE > len)
+ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
return nullptr;
// -- check signature before using the structure, in case the zip file is corrupt
@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
xtoint(Local->extrafield_len);
// -- check if there is enough source data in the file
- if (offset + aItem->Size() > len)
+ if (len < aItem->Size() ||
+ offset > len - aItem->Size())
return nullptr;
return data + offset;
--
2.4.3
|
