Closed
Bug 832160
Opened 11 years ago
Closed 11 years ago
JAR/ZIP crash [@nsZipArchive::BuildSynthetics]
Categories
(Core :: Networking: JAR, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 832162
| blocking-b2g | tef+ |
People
(Reporter: posidron, Assigned: jduell.mcbugs)
Details
(Keywords: crash, sec-critical, testcase)
Attachments
(3 files)
This crash happened while fuzzing the JAR/ZIP parser.
./modules/libjar/nsZipArchive.cpp:628
for (uint16_t dirlen = namelen - 1; dirlen > 0; dirlen--)
{
if (name[dirlen-1] != '/')
continue;
To reproduce load the testcase like:
jar:file:///Users/cdiehl/Desktop/testcase.jar!/
Tested with m-c changeset: 119051:ff2e30afa205
|
Reporter | |
Comment 1•11 years ago
|
||
Crashing on non-null, need to determine if this is exploitable.
blocking-b2g: --- → tef+
|
||
Updated•11 years ago
|
Assignee: nobody → jduell.mcbugs
|
Assignee | |
Comment 3•11 years ago
|
||
Taras: I can't say I even know what the buildsynthetics code is for, but this patch avoids it from trying to reference name[-1], which is causing the crash. with the patch I no longer crash, and instead see a listing of the JAR file's contents (attack.js and attack2.js).
Attachment #704294 -
Flags: review?(taras.mozilla)
|
||
Comment 4•11 years ago
|
||
Exactly the same fix as bug 832162, and also I think this check needs to be done in a different place, as described in my feedback to the patch for bug 832162.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•11 years ago
|
Attachment #704294 -
Flags: review?(taras.mozilla) → review+
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•