|
1.18 KB,
application/java-archive
|
Details | |
|
1.08 KB,
text/html
|
Details | |
|
1.04 KB,
application/java-archive
|
Details | |
|
676 bytes,
application/java-archive
|
Details | |
|
6.31 KB,
patch
|
Biesinger
:
review+
bz
:
superreview+
dveditz
:
approval1.8.1.15+
|
Details | Diff | Splinter Review |
|
5.47 KB,
patch
|
Biesinger
:
review+
bz
:
superreview+
Mike Schroepfer
:
approval1.9+
|
Details | Diff | Splinter Review |
Malformed zip directories can crash us. Appears safe, we read outside our buffer and die with an access violation, but in order to snoop on data in other owned buffers it would have to match up exactly with a ZIP "central directory" structure which is extremely unlikely.
|
||
Comment 1•9 years ago
|
||
Created attachment 308642 [details]
zip file that seems to crash
This seems to be a zip file that seems to crash Mozilla when trying to open it.|
|
||
Comment 2•9 years ago
|
||
Created attachment 308643 [details]
script used to open the zip file
I used this script to open the zip file with.|
|
||
Updated•9 years ago
|
||
|
(Assignee) | |
Comment 3•9 years ago
|
||
Martijn's crash: bp-45371582-ef91-11dc-91a2-001a4bd46e84 I think that's probably the same as mine because my patched version doesn't crash on it, but a stock FF does. You don't need to go through the rigamaroll of your script, though, it's enough to simply open the jar: jar:https://bugzilla.mozilla.org/attachment.cgi?id=308642!/ (requires setting network.jar.open-unsafe-types to true, or changing type of attachment to application/java-archive which I'll do for the bug)
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
|
(Assignee) | |
Comment 4•9 years ago
|
||
Created attachment 308664 [details]
invalid (overlong) extralen and commentlen|
|
(Assignee) | |
Comment 5•9 years ago
|
||
testcase: in address bar enter jar:https://bugzilla.mozilla.org/attachment.cgi?id=308664!/
|
|
(Assignee) | |
Comment 6•9 years ago
|
||
Created attachment 308672 [details] [diff] [review] patch WIP (1.8 branch version) This fixes the above testcases but "work in progress" because there are other crashes in this testsuite covered by this bug.
|
|
(Assignee) | |
Comment 7•9 years ago
|
||
Created attachment 309512 [details]
testcase2
Second testcase, trying to view "!/fakerealsize.txt" will crash 1.8. Doesn't seem to crash trunk though.|
|
(Assignee) | |
Comment 8•9 years ago
|
||
That is, the testcase URL is jar:https://bugzilla.mozilla.org/attachment.cgi?id=309512!/fakerealsize.txt
|
|
(Assignee) | |
Comment 9•9 years ago
|
||
Created attachment 309575 [details] [diff] [review] Fix both problems (1.8 branch)
|
|
(Assignee) | |
Comment 10•9 years ago
|
||
Created attachment 309577 [details] [diff] [review] same for trunk
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
|
(Assignee) | |
Comment 11•9 years ago
|
||
Requesting blocking FF3 -- CPNI is going to release their testsuite and it would be nicer to say "we don't crash" than to have to explain "trust us, they're safe crashes".
|
|
(Assignee) | |
Comment 12•9 years ago
|
||
The advisory has been released https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
||
Updated•9 years ago
|
||
|
||
Updated•9 years ago
|
||
|
|
||
Updated•9 years ago
|
||
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
||
Updated•9 years ago
|
||
|
|
(Assignee) | |
Comment 13•9 years ago
|
||
Fix checked in on trunk
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
|
(Assignee) | |
Comment 14•9 years ago
|
||
Comment on attachment 309575 [details] [diff] [review] Fix both problems (1.8 branch) approved for 1.8.1.14, a=dveditz for release-drivers
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
|
(Assignee) | |
Updated•9 years ago
|
||
|
||
Comment 15•9 years ago
|
||
Verified fixed for 1.8 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre.
|
||
Updated•6 years ago
|
||
Description
•