Bug 1801102 - Handle corrupted JAR files r=jesup

Differential Revision: https://phabricator.services.mozilla.com/D162392

modules/libjar/nsZipArchive.cpp

@@ -775,10 +775,14 @@ uint32_t nsZipArchive::GetDataOffset(nsZipItem* aItem) {
   MOZ_DIAGNOSTIC_ASSERT(len <= UINT32_MAX, "mLen > 2GB");
   const uint8_t* data = mFd->mFileData;
   offset = aItem->LocalOffset();
-  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) return 0;
-  // Asserts there's enough space for the signature
-  MOZ_DIAGNOSTIC_ASSERT(offset <= mFd->mLen - 4,
-                        "Corrupt local offset in JAR file");
+  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) {
+    return 0;
+  }
+  // Check there's enough space for the signature
+  if (offset > mFd->mLen) {
+    NS_WARNING("Corrupt local offset in JAR file");
+    return 0;
+  }
 
   // -- check signature before using the structure, in case the zip file is
   // corrupt
@@ -790,8 +794,11 @@ uint32_t nsZipArchive::GetDataOffset(nsZipItem* aItem) {
   //--       the offset accurately we need the _local_ extralen.
   offset += ZIPLOCAL_SIZE + xtoint(Local->filename_len) +
             xtoint(Local->extrafield_len);
-  // Asserts there's enough space for the signature
-  MOZ_DIAGNOSTIC_ASSERT(offset <= mFd->mLen, "Corrupt data offset in JAR file");
+  // Check data points inside the file.
+  if (offset > mFd->mLen) {
+    NS_WARNING("Corrupt data offset in JAR file");
+    return 0;
+  }
 
   MMAP_FAULT_HANDLER_CATCH(0)
   // can't be 0

modules/libjar/test/unit/test_corrupt_1801102.js

@@ -0,0 +1,20 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+// Regression test ensuring that that a STORED entry with differing compressed
+// and uncompressed sizes is considered to be corrupt.
+
+add_task(async function test1801102() {
+  let file = do_get_file("data/test_1801102.jar");
+
+  let zipreader = Cc["@mozilla.org/libjar/zip-reader;1"].createInstance(
+    Ci.nsIZipReader
+  );
+  zipreader.open(file);
+  Assert.throws(
+    () => zipreader.test(""),
+    /NS_ERROR_FILE_CORRUPTED/,
+    "must throw"
+  );
+});

modules/libjar/test/unit/xpcshell.ini

@@ -11,6 +11,7 @@ support-files =
   data/test_bug597702.zip
   data/test_bug637286.zip
   data/test_bug658093.zip
+  data/test_1801102.jar
   data/test_corrupt.zip
   data/test_corrupt2.zip
   data/test_corrupt3.zip
@@ -35,6 +36,7 @@ skip-if = os == "mac"
 [test_corrupt_536911.js]
 [test_corrupt_541828.js]
 [test_corrupt_1211262.js]
+[test_corrupt_1801102.js]
 [test_crx.js]
 [test_dirjar_bug525755.js]
 [test_jarinput_stream_zipreader_reference.js]