Last Comment Bug 422118 - (cpni-zip) Crash reading malformed zip [@nsZipArchive::BuildFileList]
(cpni-zip)
: Crash reading malformed zip [@nsZipArchive::BuildFileList]
Status: RESOLVED FIXED
[sg:nse dos] test URIs in comment 5 a...
: crash, testcase, verified1.8.1.15
Product: Core
Classification: Components
Component: Networking: JAR (show other bugs)
: unspecified
: x86 Windows XP
: P2 normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
https://www.cert.fi/haavoittuvuudet/j...
Depends on:
Blocks: 413380
  Show dependency treegraph
 
Reported: 2008-03-11 08:48 PDT by Daniel Veditz [:dveditz]
Modified: 2011-06-13 10:01 PDT (History)
6 users (show)
dveditz: blocking1.9?
dveditz: blocking1.8.1.15+
dveditz: wanted1.8.1.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
zip file that seems to crash (1.18 KB, application/java-archive)
2008-03-11 09:13 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
script used to open the zip file (1.08 KB, text/html)
2008-03-11 09:16 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
invalid (overlong) extralen and commentlen (1.04 KB, application/java-archive)
2008-03-11 11:08 PDT, Daniel Veditz [:dveditz]
no flags Details
patch WIP (1.8 branch version) (3.71 KB, patch)
2008-03-11 11:42 PDT, Daniel Veditz [:dveditz]
no flags Details | Diff | Review
testcase2 (676 bytes, application/java-archive)
2008-03-14 14:23 PDT, Daniel Veditz [:dveditz]
no flags Details
Fix both problems (1.8 branch) (6.31 KB, patch)
2008-03-14 19:19 PDT, Daniel Veditz [:dveditz]
cbiesinger: review+
bzbarsky: superreview+
dveditz: approval1.8.1.15+
Details | Diff | Review
same for trunk (5.47 KB, patch)
2008-03-14 19:22 PDT, Daniel Veditz [:dveditz]
cbiesinger: review+
bzbarsky: superreview+
mtschrep: approval1.9+
Details | Diff | Review

Description Daniel Veditz [:dveditz] 2008-03-11 08:48:07 PDT
Malformed zip directories can crash us. Appears safe, we read outside our buffer and die with an access violation, but in order to snoop on data in other owned buffers it would have to match up exactly with a ZIP "central directory" structure which is extremely unlikely.
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2008-03-11 09:13:58 PDT
Created attachment 308642 [details]
zip file that seems to crash

This seems to be a zip file that seems to crash Mozilla when trying to open it.
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2008-03-11 09:16:19 PDT
Created attachment 308643 [details]
script used to open the zip file

I used this script to open the zip file with.
Comment 3 Daniel Veditz [:dveditz] 2008-03-11 11:01:44 PDT
Martijn's crash: bp-45371582-ef91-11dc-91a2-001a4bd46e84

I think that's probably the same as mine because my patched version doesn't crash on it, but a stock FF does.

You don't need to go through the rigamaroll of your script, though, it's enough to simply open the jar:
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=308642!/
(requires setting network.jar.open-unsafe-types to true, or changing type of attachment to application/java-archive which I'll do for the bug)
Comment 4 Daniel Veditz [:dveditz] 2008-03-11 11:08:33 PDT
Created attachment 308664 [details]
invalid (overlong) extralen and commentlen
Comment 5 Daniel Veditz [:dveditz] 2008-03-11 11:14:34 PDT
testcase: in address bar enter
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=308664!/
Comment 6 Daniel Veditz [:dveditz] 2008-03-11 11:42:14 PDT
Created attachment 308672 [details] [diff] [review]
patch WIP (1.8 branch version)

This fixes the above testcases but "work in progress" because there are other crashes in this testsuite covered by this bug.
Comment 7 Daniel Veditz [:dveditz] 2008-03-14 14:23:52 PDT
Created attachment 309512 [details]
testcase2

Second testcase, trying to view "!/fakerealsize.txt" will crash 1.8. Doesn't seem to crash trunk though.
Comment 8 Daniel Veditz [:dveditz] 2008-03-14 14:24:38 PDT
That is, the testcase URL is
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=309512!/fakerealsize.txt
Comment 9 Daniel Veditz [:dveditz] 2008-03-14 19:19:02 PDT
Created attachment 309575 [details] [diff] [review]
Fix both problems (1.8 branch)
Comment 10 Daniel Veditz [:dveditz] 2008-03-14 19:22:35 PDT
Created attachment 309577 [details] [diff] [review]
same for trunk
Comment 11 Daniel Veditz [:dveditz] 2008-03-17 01:58:26 PDT
Requesting blocking FF3 -- CPNI is going to release their testsuite and it would be nicer to say "we don't crash" than to have to explain "trust us, they're safe crashes".
Comment 12 Daniel Veditz [:dveditz] 2008-03-18 11:49:48 PDT
The advisory has been released
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
Comment 13 Daniel Veditz [:dveditz] 2008-03-19 12:29:08 PDT
Fix checked in on trunk
Comment 14 Daniel Veditz [:dveditz] 2008-03-26 11:40:48 PDT
Comment on attachment 309575 [details] [diff] [review]
Fix both problems (1.8 branch)

approved for 1.8.1.14, a=dveditz for release-drivers
Comment 15 Al Billings [:abillings] 2008-06-11 13:21:29 PDT
Verified fixed for 1.8 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre. 

Note You need to log in before you can comment on or make changes to this bug.