Closed
Bug 1380204
Opened 7 years ago
Closed 7 years ago
XZStream does not cleanly handle xz files with multiple xz blocks
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox57 fixed)
RESOLVED
FIXED
Firefox 57
Tracking | Status | |
---|---|---|
firefox57 | --- | fixed |
People
(Reporter: bmurray7jhu, Assigned: bmurray7jhu)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Steps to reproduce: Build Fennec on system with xz version 5.2 or higher. Configure xz to use multithreaded compression with small lazma blocks. For example, set XZ_OPT='--threads=4 --block-size=1MiB'. Build and package Fennec Actual results: Gecklinker crashes when loading libmozglue.so Expected results: Fennec should load correctly
Comment hidden (mozreview-request) |
Assignee | ||
Comment 2•7 years ago
|
||
Possible duplicate of Bug 1062916.
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8885528 [details] Bug 1380204: Improve error handling in XZStream.cpp https://reviewboard.mozilla.org/r/156396/#review163188 ::: mozglue/linker/XZStream.cpp:1 (Diff revision 1) > + > + You're adding empty lines. ::: mozglue/linker/XZStream.cpp:76 (Diff revision 1) > if (!mDec) { > return false; > } > > mUncompSize = ParseUncompressedSize(); > + if(!mUncompSize) { space after if ::: mozglue/linker/XZStream.cpp:176 (Diff revision 1) > const uint32_t backwardSize = *(footer + 4); > + // Check for overflow. > + if(backwardSize > (SIZE_MAX / 4) - 1) { > + return 0; > + } I'd rather just use a CheckedInt (see mfbt/CheckedInt.h) ::: mozglue/linker/XZStream.cpp:197 (Diff revision 1) > } > // The footer follows directly the index, so we can use it as a reference. > const uint8_t* end = mInBuf + mBuffers.in_size; > const uint8_t* index = end - kFooterSize - indexSize; > > - // The index consists of a one byte indicator followed by a VLI field for the > + // The xz stream index consists of three concatnated elements: typo: concatenated ::: mozglue/linker/XZStream.cpp:226 (Diff revision 1) > return 0; > } > uint64_t uncompressedSize = 0; > index += ParseVarLenInt(index, end - index, &uncompressedSize); > + // Check for integer overflow > + if(uncompressedSize>SIZE_MAX) { spaces around >
Attachment #8885528 -
Flags: review?(mh+mozilla)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 5•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8885528 [details] Bug 1380204: Improve error handling in XZStream.cpp https://reviewboard.mozilla.org/r/156396/#review163188 > spaces around > Entire line deleted.
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8885528 [details] Bug 1380204: Improve error handling in XZStream.cpp https://reviewboard.mozilla.org/r/156396/#review165374 ::: mozglue/linker/XZStream.cpp:176 (Diff revision 2) > return 0; > } > // Backward size is a 32 bit LE integer field positioned after the 32 bit CRC32 > // code. It encodes the index size as a multiple of 4 bytes with a minimum > // size of 4 bytes. > - const uint32_t backwardSize = *(footer + 4); > + const uint32_t bBackwardSizeRaw = *(footer + 4); why the bB? ::: mozglue/linker/XZStream.cpp:179 (Diff revision 2) > // code. It encodes the index size as a multiple of 4 bytes with a minimum > // size of 4 bytes. > - const uint32_t backwardSize = *(footer + 4); > - return (backwardSize + 1) * 4; > + const uint32_t bBackwardSizeRaw = *(footer + 4); > + // Check for overflow. > + mozilla::CheckedInt<size_t> backwardSizeBytes; > + backwardSizeBytes = (bBackwardSizeRaw + 1) * 4; I don't think this works. You should initialize backwardSizeBytes with the raw size, and then add one and multiply. ::: mozglue/linker/XZStream.cpp:232 (Diff revision 2) > } > uint64_t uncompressedSize = 0; > index += ParseVarLenInt(index, end - index, &uncompressedSize); > + mozilla::CheckedInt<size_t> checkedSize(uncompressedSize); > + if (!checkedSize.isValid()) { > + ERROR("XZ parsing: Uncompressed stream size is to large"); typo: too.
Attachment #8885528 -
Flags: review?(mh+mozilla)
Comment hidden (mozreview-request) |
Comment 8•7 years ago
|
||
mozreview-review |
Comment on attachment 8885528 [details] Bug 1380204: Improve error handling in XZStream.cpp https://reviewboard.mozilla.org/r/156396/#review168656
Attachment #8885528 -
Flags: review?(mh+mozilla) → review+
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 9•7 years ago
|
||
Autoland can't push this until all pending issues in MozReview are marked as resolved.
Keywords: checkin-needed
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Updated•7 years ago
|
Assignee: nobody → bmurray7jhu
Comment 10•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0d4f763f4080 Improve error handling in XZStream.cpp r=glandium
Keywords: checkin-needed
Comment 11•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0d4f763f4080
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 57
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•