Closed Bug 832160 Opened 13 years ago Closed 13 years ago

JAR/ZIP crash [@nsZipArchive::BuildSynthetics]

Categories

(Core :: Networking: JAR, defect)

Product:
Core
Component:
Networking: JAR
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 832162
Project Flags:
blocking-b2g tef+

People

(Reporter: posidron, Assigned: jduell.mcbugs)

Details

(Keywords: crash, sec-critical, testcase)

Attachments

(3 files)

callstack
4.02 KB, text/plain
Details
testcase
456 bytes, application/java-archive
Details
v1: skip if directory name length == 0
1.09 KB, patch
taras.mozilla
: review+
Details | Diff | Splinter Review
Attached file callstack
This crash happened while fuzzing the JAR/ZIP parser. ./modules/libjar/nsZipArchive.cpp:628 for (uint16_t dirlen = namelen - 1; dirlen > 0; dirlen--) { if (name[dirlen-1] != '/') continue; To reproduce load the testcase like: jar:file:///Users/cdiehl/Desktop/testcase.jar!/ Tested with m-c changeset: 119051:ff2e30afa205
Attached file testcase
Crashing on non-null, need to determine if this is exploitable.
blocking-b2g: --- → tef+
Assignee: nobody → jduell.mcbugs
Taras: I can't say I even know what the buildsynthetics code is for, but this patch avoids it from trying to reference name[-1], which is causing the crash. with the patch I no longer crash, and instead see a listing of the JAR file's contents (attack.js and attack2.js).
Attachment #704294 - Flags: review?(taras.mozilla)
Exactly the same fix as bug 832162, and also I think this check needs to be done in a different place, as described in my feedback to the patch for bug 832162.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Attachment #704294 - Flags: review?(taras.mozilla) → review+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: