Closed Bug 422118 (cpni-zip) Opened 13 years ago Closed 13 years ago

Crash reading malformed zip [@nsZipArchive::BuildFileList]

Categories

(Core :: Networking: JAR, defect, P2)

Product:
Core
Component:
Networking: JAR
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Assigned: dveditz)

References

(
URL
)

Details

(Keywords: crash, testcase, verified1.8.1.15, Whiteboard: [sg:nse dos] test URIs in comment 5 and 8)

Crash Data

Attachments

(6 files, 1 obsolete file)

zip file that seems to crash
1.18 KB, application/java-archive
Details
script used to open the zip file
1.08 KB, text/html
Details
invalid (overlong) extralen and commentlen
1.04 KB, application/java-archive
Details
testcase2
676 bytes, application/java-archive
Details
Fix both problems (1.8 branch)
6.31 KB, patch
Biesinger
: review+
bzbarsky
: superreview+
dveditz
: approval1.8.1.15+
Details | Diff | Splinter Review
same for trunk
5.47 KB, patch
Biesinger
: review+
bzbarsky
: superreview+
mtschrep
: approval1.9+
Details | Diff | Splinter Review 
Malformed zip directories can crash us. Appears safe, we read outside our buffer and die with an access violation, but in order to snoop on data in other owned buffers it would have to match up exactly with a ZIP "central directory" structure which is extremely unlikely.
This seems to be a zip file that seems to crash Mozilla when trying to open it.
I used this script to open the zip file with.
Keywords: testcase
Martijn's crash: bp-45371582-ef91-11dc-91a2-001a4bd46e84

I think that's probably the same as mine because my patched version doesn't crash on it, but a stock FF does.

You don't need to go through the rigamaroll of your script, though, it's enough to simply open the jar:
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=308642!/
(requires setting network.jar.open-unsafe-types to true, or changing type of attachment to application/java-archive which I'll do for the bug)
Attachment #308642 - Attachment mime type: application/zip → application/java-archive
testcase: in address bar enter
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=308664!/
Attached patch patch WIP (1.8 branch version) (obsolete) — Splinter Review 
This fixes the above testcases but "work in progress" because there are other crashes in this testsuite covered by this bug.
Attached file testcase2 
Second testcase, trying to view "!/fakerealsize.txt" will crash 1.8. Doesn't seem to crash trunk though.
Attachment #308672 - Attachment is obsolete: true
Attachment #309575 - Flags: superreview?(bzbarsky)
Attachment #309575 - Flags: review?(cbiesinger)
Attached patch same for trunkSplinter Review
Attachment #309577 - Flags: superreview?(bzbarsky)
Attachment #309577 - Flags: review?(cbiesinger)
Whiteboard: [sg:nse dos
Attachment #309577 - Flags: superreview?(bzbarsky) → superreview+
Attachment #309575 - Flags: superreview?(bzbarsky) → superreview+
Requesting blocking FF3 -- CPNI is going to release their testsuite and it would be nicer to say "we don't crash" than to have to explain "trust us, they're safe crashes".
Flags: wanted1.8.1.x+
Flags: blocking1.9?
Flags: blocking1.8.1.14?
Whiteboard: [sg:nse dos → [sg:nse dos]
Group: security
Flags: in-testsuite?
Attachment #309575 - Flags: review?(cbiesinger) → review+
Attachment #309577 - Flags: review?(cbiesinger) → review+
Attachment #309577 - Flags: approval1.9?
Attachment #309575 - Flags: approval1.8.1.14?
Attachment #309577 - Flags: approval1.9? → approval1.9+
Fix checked in on trunk
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: blocking1.8.1.14? → blocking1.8.1.14+
Comment on attachment 309575 [details] [diff] [review]
Fix both problems (1.8 branch)

approved for 1.8.1.14, a=dveditz for release-drivers
Attachment #309575 - Flags: approval1.8.1.14? → approval1.8.1.14+
Blocks: fuzz-JSFF
Whiteboard: [sg:nse dos] → [sg:nse dos] test URIs in comment 5 and 8
Keywords: fixed1.8.1.15
Verified fixed for 1.8 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre.
Keywords: fixed1.8.1.15verified1.8.1.15
Crash Signature: [@nsZipArchive::BuildFileList]
You need to log in before you can comment on or make changes to this bug.