diff options
author | Moonchild <moonchild@palemoon.org> | 2022-12-15 11:49:39 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2022-12-15 11:49:39 +0000 |
commit | d9fb68d21b6693915dda2398f8b1356031a8c2f1 (patch) | |
tree | e9fc103b7fa7c61724be7b81a02b83529db370c1 /modules | |
parent | df2b82e2cb9c42e10820aa74702fa94029e24d2c (diff) | |
download | uxp-d9fb68d21b6693915dda2398f8b1356031a8c2f1.tar.gz |
[libjar] Add some extra sanity checks to our Zip reader.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/libjar/nsZipArchive.cpp | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp index b28fddc181..1ee3839baa 100644 --- a/modules/libjar/nsZipArchive.cpp +++ b/modules/libjar/nsZipArchive.cpp @@ -885,15 +885,22 @@ nsZipHandle* nsZipArchive::GetFD() uint32_t nsZipArchive::GetDataOffset(nsZipItem* aItem) { MOZ_ASSERT(aItem); + uint32_t offset; MOZ_WIN_MEM_TRY_BEGIN //-- read local header to get variable length values and calculate //-- the real data offset uint32_t len = mFd->mLen; const uint8_t* data = mFd->mFileData; - uint32_t offset = aItem->LocalOffset(); + offset = aItem->LocalOffset(); if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) return 0; + // Check there's enough space for the signature + if (offset > mFd->mLen) { + NS_WARNING("Corrupt local offset in JAR file"); + return 0; + } + // -- check signature before using the structure, in case the zip file is corrupt ZipLocal* Local = (ZipLocal*)(data + offset); if ((xtolong(Local->signature) != LOCALSIG)) @@ -906,8 +913,14 @@ MOZ_WIN_MEM_TRY_BEGIN xtoint(Local->filename_len) + xtoint(Local->extrafield_len); - return offset; + // Check data points inside the file. + if (offset > mFd->mLen) { + NS_WARNING("Corrupt data offset in JAR file"); + return 0; + } MOZ_WIN_MEM_TRY_CATCH(return 0) + // Can't be 0 + return offset; } //--------------------------------------------- |