Bug 1838117 - Reject JAR entries that don't inflate to the correct size r=jesup

- Adds pref for whether to enforce size match with central->orglen
- Checks return code of inflateEnd and returns error if it's not Z_OK
- Also enter the finished block if mZs.total_out > mOutSize

Differential Revision: https://phabricator.services.mozilla.com/D181458

modules/libjar/nsJARInputStream.cpp

@@ -300,9 +300,19 @@ nsresult nsJARInputStream::ContinueInflate(char* aBuffer, uint32_t aCount,
 
   // be aggressive about ending the inflation
   // for some reason we don't always get Z_STREAM_END
-  if (finished || mZs.total_out == mOutSize) {
+  if (finished || mZs.total_out >= mOutSize) {
     if (mMode == MODE_INFLATE) {
-      inflateEnd(&mZs);
+      int zerr = inflateEnd(&mZs);
+      if (zerr != Z_OK) {
+        return NS_ERROR_FILE_CORRUPTED;
+      }
+
+      // Stream is finished but has a different size from what
+      // we expected.
+      if (mozilla::StaticPrefs::network_jar_require_size_match() &&
+          mZs.total_out != mOutSize) {
+        return NS_ERROR_FILE_CORRUPTED;
+      }
     }
 
     // stop returning valid data as soon as we know we have a bad CRC

modules/libpref/init/StaticPrefList.yaml

@@ -12657,6 +12657,13 @@
   value: 256*1024*1024 # 256 Mb
   mirror: always
 
+# Whether JAR entries that defate to a different size than RealSize/orglen
+# are considered corrupted or not
+- name: network.jar.require_size_match
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
 # When this pref is true we clear the Content-Encoding header for
 # application/x-gzip Content-Type responses, see bug 1030660.
 #