gecko-dev/modules/libmar
June Wilde 3dba77a779 Bug 1468556 - Protect against overlapping files in libmar; r=mhowell
Disallows files from referencing the same bytes in the content blocks of a MAR
file by storing a list of structs containing a file's byte offsets and lengths.
A list was chosen since the cap of 256 files wouldn't produce considerable
overhead when extracting/reading/searching/etc through the archive.

Removing the ability for a MAR file to reference the same content block
repeatedly seems like a better solution than what was suggested in the BLRG
report. (limiting the number of files or checking for overly large
decompressed files)

Allows us to prohibit this type of file bomb while only losing an attribute
of the MAR file format that wasn't being leveraged. The fix is applied in
mar_enum_items and mar_find_item so that the manifest the updater uses is
equally safeguarded as the mar host tool.

Differential Revision: https://phabricator.services.mozilla.com/D11706

--HG--
extra : moz-landing-system : lando
2018-11-26 17:25:24 +00:00
..
sign Bug 1468542 - Restrict acceptable bounds for i in nss_secutil; r=rstrong 2018-11-19 20:57:50 +02:00
src Bug 1468556 - Protect against overlapping files in libmar; r=mhowell 2018-11-26 17:25:24 +00:00
tests Bug 1468556 - Protect against overlapping files in libmar; r=mhowell 2018-11-26 17:25:24 +00:00
tool Bug 1468544 - Replace mar_hash_name with CityHash algorithm. r=rstrong 2018-11-06 13:34:21 -05:00
verify Bug 1489454 - Remove all trailing whitespaces (again) r=Ehsan 2018-09-07 14:47:51 +00:00
README
moz.build

README

This directory contains code for a simple archive file format, which
is documented at http://wiki.mozilla.org/Software_Update:MAR

The src directory builds a small static library used to create, read, and
extract an archive file.  The tool directory builds a command line utility
around the library.