Closed
Bug 510247
Opened 15 years ago
Closed 15 years ago
Buffer under run on JAR files
Categories
(Core :: Networking: JAR, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta5-fixed |
People
(Reporter: peter, Assigned: alfredkayser)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
6.30 KB,
patch
|
taras.mozilla
:
review+
dietrich
:
approval1.9.2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1) Gecko/20090707 Iceweasel/3.5.1 (Debian-3.5.1-1) Build Identifier: Firefox 3.6 Mercurial In nsZipArchive::BuildFileList, the loop steps backwards through the buffer looking for the central directory. If bufsize < ZIPEND_SIZE (e.g, the very start of the file, when it would otherwise file to find the central directory), endp will be decremented below buf, and xtolong will deference from before the buffer. Of course, this assumes that the zip file is malformed, or there's some other reason the central directory is not being found, which is how I found this at all. Reproducible: Always
Assignee | ||
Comment 1•15 years ago
|
||
Now that jar's are mmapped, this is easy to fix.
Assignee: nobody → alfredkayser
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Comment 2•15 years ago
|
||
This patch simplifies the code of the BuildFileList removing the underrun issue, and making the code overall much more readable, and even a little bit faster.
Attachment #394781 -
Flags: review?(benjamin)
Comment 3•15 years ago
|
||
Comment on attachment 394781 [details] [diff] [review] V1: Simplify the BuildFileList scanner logic to prevent underruns >+ PRUint8* buf; >+ PRUint8* endp = mFd->mFileData + mFd->mLen; > >- //-- get archive size using end pos >- PRInt32 pos = (PRInt32) mFd->mLen; >+ for (buf = endp - ZIPEND_SIZE; xtolong(buf) != ENDSIG; buf--) >+ { Note that a file with no ENDSIG will cause you to read past begining of mmap'ed area. Should check for buf > mFd->mFileData. Either that or use an index and check > 0.
Assignee | ||
Comment 4•15 years ago
|
||
This check is within the loop itself: if (buf == mFd->mFileData) { // We're at the beginning of the file, and still no sign // of the end signature. File must be corrupted! return ZIP_ERR_CORRUPT; }
Assignee | ||
Comment 5•15 years ago
|
||
Comment on attachment 394781 [details] [diff] [review] V1: Simplify the BuildFileList scanner logic to prevent underruns Taras, can you do the r of this one? As said in the previous comment, the check for underrun is within the loop itself.
Attachment #394781 -
Flags: review?(benjamin) → review?(tglek)
Comment 6•15 years ago
|
||
Comment on attachment 394781 [details] [diff] [review] V1: Simplify the BuildFileList scanner logic to prevent underruns looks good to me
Attachment #394781 -
Flags: superreview?(benjamin)
Comment 7•15 years ago
|
||
Comment on attachment 394781 [details] [diff] [review] V1: Simplify the BuildFileList scanner logic to prevent underruns this is good to go in
Attachment #394781 -
Flags: superreview?(benjamin)
Attachment #394781 -
Flags: review?(tglek)
Attachment #394781 -
Flags: review+
Updated•15 years ago
|
Keywords: checkin-needed
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/4fa9f187e09c
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Component: File Handling → Networking: JAR
Keywords: checkin-needed
Product: Firefox → Core
QA Contact: file.handling → networking.jar
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
Updated•15 years ago
|
Flags: blocking1.9.2?
Updated•15 years ago
|
Attachment #394781 -
Flags: approval1.9.2?
Comment 9•15 years ago
|
||
This is a low risk patch that avoids a potential crash.
Comment 10•15 years ago
|
||
Comment on attachment 394781 [details] [diff] [review] V1: Simplify the BuildFileList scanner logic to prevent underruns a=me per discussion w/ beltzner et al.
Attachment #394781 -
Flags: approval1.9.2? → approval1.9.2+
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Updated•15 years ago
|
status1.9.2:
--- → final-fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•