зеркало из https://github.com/mozilla/gecko-dev.git
22e7297afd
The index section of a MAR archive file contains several fixed-length fields and also variable-length names for each file in the archive, terminated by a null byte. Since that makes the length of the index variable, the length of the entire index is also provided in the file. When libmar opens a file, it allocates a buffer with the length given in the file and reads the index from the file into that buffer. mar_consume_index() then parses the entire index from that copy, trying to make sure it doesn't read past the buffer it was given. The length of the buffer is given to mar_consume_index() by providing it a pointer to one byte past the end of the buffer. However, mar_consume_index() treats this pointer as pointing *to* the end. Therefore, it is possible for a malformed MAR file (one where the stated length is less than the real length) to trigger a read of one byte beyond the allocated memory. Fix this by failing the parse when we reach the buffer end pointer minus one, instead of when we reach that address itself. --HG-- extra : amend_source : 3001a5bc08e790251759418e014bbd7153b66d8a |
||
|---|---|---|
| .. | ||
| Makefile.in | ||
| mar.h | ||
| mar_cmdline.h | ||
| mar_create.c | ||
| mar_extract.c | ||
| mar_private.h | ||
| mar_read.c | ||
| moz.build | ||