bug 422118 crash reading malformed zip archives. r=biesi, sr=bzbarsky, a=schrep

2008-03-19 19:28:38 +00:00 · 2008-03-19 19:28:38 +00:00 · 5b58662515
--- a/modules/libjar/nsJARInputStream.cpp
+++ b/modules/libjar/nsJARInputStream.cpp
@ -219,15 +219,21 @@ nsJARInputStream::Read(char* aBuffer, PRUint32 aCount, PRUint32 *aBytesRead)
        } else {
            PRInt32 bytesRead = 0;
            aCount = PR_MIN(aCount, mInSize - mCurPos);
-            if (aCount) {        
+            if (aCount) {
                bytesRead = PR_Read(mFd, aBuffer, aCount);
                if (bytesRead < 0)
                    return NS_ERROR_FILE_CORRUPTED;
                mCurPos += bytesRead;
+                if (bytesRead != aCount) {
+                    // file is truncated or was lying about size, we're done
+                    PR_Close(mFd);
+                    mFd = nsnull;
+                    return NS_ERROR_FILE_CORRUPTED;
+                }
            }
            *aBytesRead = bytesRead;
        }
-        
+
        // be aggressive about closing!
        // note that sometimes, we will close mFd before we've finished
        // deflating - this is because zlib buffers the input
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@ -906,6 +906,11 @@ nsresult nsZipArchive::BuildFileList()
    PRUint16 extralen = xtoint(central->extrafield_len);
    PRUint16 commentlen = xtoint(central->commentfield_len);

+    //-- sanity check variable sizes and refuse to deal with
+    //-- anything too big: it's likely a corrupt archive
+    if (namelen > BR_BUF_SIZE || extralen > BR_BUF_SIZE || commentlen > 2*BR_BUF_SIZE)
+      return ZIP_ERR_CORRUPT;
+
    nsZipItem* item = CreateZipItem(namelen);
    if (!item)
      return ZIP_ERR_MEMORY;
@ -919,11 +924,10 @@ nsresult nsZipArchive::BuildFileList()
    item->date          = xtoint(central->date);
    item->isSynthetic   = PR_FALSE;
    item->hasDataOffset = PR_FALSE;
-    item->compression   = (PRUint8)xtoint(central->method);
-#if defined(DEBUG)
-    /* Make sure our space optimization is non lossy. */
-    PR_ASSERT(xtoint(central->method) == (PRUint16)item->compression);
-#endif
+
+    PRUint16 compression = xtoint(central->method);
+    item->compression   = (compression < UNSUPPORTED) ? (PRUint8)compression
+                                                      : UNSUPPORTED;

    item->mode = ExtractMode(central->external_attributes);
 #if defined(XP_UNIX) || defined(XP_BEOS)
@ -944,6 +948,11 @@ nsresult nsZipArchive::BuildFileList()
      memcpy(buf, buf+pos, leftover);
      byteCount = leftover + PR_Read(mFd, buf+leftover, sizeof(buf)-leftover);
      pos = 0;
+
+      if (byteCount < (namelen + extralen + commentlen + sizeof(sig))) {
+        // truncated file
+        return ZIP_ERR_CORRUPT;
+      }
    }

    //-------------------------------------------------------
--- a/modules/libjar/zipstruct.h
+++ b/modules/libjar/zipstruct.h
@ -132,6 +132,7 @@ typedef struct ZipEnd_
 #define IMPLODED          6
 #define TOKENIZED         7
 #define DEFLATED          8
+#define UNSUPPORTED       0xFF


 #endif /* _zipstruct_h */