Closed Bug 510247 Opened 15 years ago Closed 15 years ago

Buffer under run on JAR files

Categories

(Core :: Networking: JAR, defect)

Product:
Core
Component:
Networking: JAR
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta5-fixed

People

(Reporter: peter, Assigned: alfredkayser)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

V1: Simplify the BuildFileList scanner logic to prevent underruns
6.30 KB, patch
taras.mozilla
: review+
dietrich
: approval1.9.2+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1) Gecko/20090707 Iceweasel/3.5.1 (Debian-3.5.1-1)
Build Identifier: Firefox 3.6 Mercurial

In nsZipArchive::BuildFileList, the loop steps backwards through the buffer looking for the central directory.  

If bufsize < ZIPEND_SIZE (e.g, the very start of the file, when it would otherwise file to find the central directory), endp will be decremented below buf, and xtolong will deference from before the buffer.

Of course, this assumes that the zip file is malformed, or there's some other reason the central directory is not being found, which is how I found this at all.



Reproducible: Always
Now that jar's are mmapped, this is easy to fix.
Assignee: nobody → alfredkayser
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
This patch simplifies the code of the BuildFileList removing the underrun issue, and making the code overall much more readable, and even a little bit faster.
Attachment #394781 - Flags: review?(benjamin)
Blocks: 510611
Comment on attachment 394781 [details] [diff] [review]
V1: Simplify the BuildFileList scanner logic to prevent underruns

>+  PRUint8* buf;
>+  PRUint8* endp = mFd->mFileData + mFd->mLen;
> 
>-  //-- get archive size using end pos
>-  PRInt32  pos = (PRInt32) mFd->mLen;
>+  for (buf = endp - ZIPEND_SIZE; xtolong(buf) != ENDSIG; buf--)
>+  {

Note that a file with no ENDSIG will cause you to read past begining of mmap'ed area. Should check for buf > mFd->mFileData. Either that or use an index and check > 0.
This check is within the loop itself:
    if (buf == mFd->mFileData) {
      // We're at the beginning of the file, and still no sign
      // of the end signature.  File must be corrupted!
      return ZIP_ERR_CORRUPT;
    }
Comment on attachment 394781 [details] [diff] [review]
V1: Simplify the BuildFileList scanner logic to prevent underruns

Taras, can you do the r of this one?
As said in the previous comment, the check for underrun is within the loop itself.
Attachment #394781 - Flags: review?(benjamin) → review?(tglek)
Comment on attachment 394781 [details] [diff] [review]
V1: Simplify the BuildFileList scanner logic to prevent underruns

looks good to me
Attachment #394781 - Flags: superreview?(benjamin)
Comment on attachment 394781 [details] [diff] [review]
V1: Simplify the BuildFileList scanner logic to prevent underruns

this is good to go in
Attachment #394781 - Flags: superreview?(benjamin)
Attachment #394781 - Flags: review?(tglek)
Attachment #394781 - Flags: review+
Keywords: checkin-needed
Blocks: 510844
http://hg.mozilla.org/mozilla-central/rev/4fa9f187e09c
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Component: File Handling → Networking: JAR
Keywords: checkin-needed
Product: Firefox → Core
QA Contact: file.handling → networking.jar
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Flags: blocking1.9.2?
Attachment #394781 - Flags: approval1.9.2?
Blocks: 510874
This is a low risk patch that avoids a potential crash.
Comment on attachment 394781 [details] [diff] [review]
V1: Simplify the BuildFileList scanner logic to prevent underruns

a=me per discussion w/ beltzner et al.
Attachment #394781 - Flags: approval1.9.2? → approval1.9.2+
Flags: blocking1.9.2? → blocking1.9.2+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: