Closed
Bug 467749
Opened 16 years ago
Closed 15 years ago
possible valid coverity security bug CID: 1311 in nsZipArchive::BuildFileList
Categories
(Core :: Networking: JAR, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: [sg:investigate])
coverity suspects CID: 1311 from run 279 is uninitialized read + possible buffer overflow.
the testcase will not be trivial and will depend on stack content, but inspection shows coverity may be right.
to cut a long story short:
http://hg.mozilla.org/mozilla-central/annotate/32c453ca17ed/modules/libjar/nsZipArchive.cpp#l945
[1] if (leftover < (namelen + extralen + commentlen + ZIPCENTRAL_SIZE)) {
[1] takes false path and |pos| seems to be nonzero.
later:
982 pos += namelen + extralen + commentlen;
983 sig = xtolong(buf+pos);
983 seems outside of |buf| and we are back in the reading loop. for lucky value of |sig| further reading of |pos| is possible and in addition
948 memcpy(buf, buf+pos, leftover);
probably may overflow.
may have missed something and this may be wrong.
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate]
Reporter | ||
Updated•16 years ago
|
Product: Firefox → Core
Reporter | ||
Updated•16 years ago
|
Summary: possible valid coverity security bug CID: 1311 in nsZipArchive.cpp → possible valid coverity security bug CID: 1311 in nsZipArchive::BuildFileList
Updated•16 years ago
|
Component: General → Networking: JAR
QA Contact: general → networking.jar
Comment 1•15 years ago
|
||
First of all the issue points to old code.
We now scan the buildfilelist from a memmapped file.
But in theory, one could have out-of-bounds reads here in the same way.
Thtere is at least some checking at:
590 if (endp - buf < ZIPCENTRAL_SIZE)
591 return ZIP_ERR_CORRUPT;
There is work underway and a ready patch for more JAR optimizations, such as bug 510844.
We could have some extra checks in the meanwhile to close this potential oob read.
Comment 2•15 years ago
|
||
Fixed by bug 510844.
Reads outside the memmapped space of the jar is no longer possible.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Group: core-security
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•