diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2735.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2735.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch deleted file mode 100644 index fd39bde113..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2735.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini <amarchesini@mozilla.com> -Date: Thu, 4 Jun 2015 15:04:10 +0100 -Subject: [PATCH] Bug 1166900 - Better string length check in - nsZipArchive::GetDataOffset. r+a=dveditz - ---- - dom/file/ArchiveZipFile.cpp | 6 ++++-- - modules/libjar/nsZipArchive.cpp | 15 +++++++++------ - 2 files changed, 13 insertions(+), 8 deletions(-) - -diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp -index c206b64..d28b5ba 100644 ---- a/dom/file/ArchiveZipFile.cpp -+++ b/dom/file/ArchiveZipFile.cpp -@@ -102,7 +102,8 @@ ArchiveInputStream::Init() - uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset); - - // The file is corrupt -- if (offset + ZIPLOCAL_SIZE > mData.parentSize) { -+ if (mData.parentSize < ZIPLOCAL_SIZE || -+ offset > mData.parentSize - ZIPLOCAL_SIZE) { - return NS_ERROR_UNEXPECTED; - } - -@@ -137,7 +138,8 @@ ArchiveInputStream::Init() - ArchiveZipItem::StrToInt16(local.extrafield_len); - - // The file is corrupt if there is not enough data -- if (offset + mData.sizeToBeRead > mData.parentSize) { -+ if (mData.parentSize < mData.sizeToBeRead || -+ offset > mData.parentSize - mData.sizeToBeRead) { - return NS_ERROR_UNEXPECTED; - } - -diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp -index f8af715..5ec8225 100644 ---- a/modules/libjar/nsZipArchive.cpp -+++ b/modules/libjar/nsZipArchive.cpp -@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN - uint16_t namelen = xtoint(central->filename_len); - uint16_t extralen = xtoint(central->extrafield_len); - uint16_t commentlen = xtoint(central->commentfield_len); -- -- // Point to the next item at the top of loop -- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen; -+ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen; - - // Sanity check variable sizes and refuse to deal with - // anything too big: it's likely a corrupt archive. - if (namelen < 1 || - namelen > kMaxNameLength || -- buf >= endp) { -+ buf >= buf + diff || // No overflow -+ buf >= endp - diff) { - return NS_ERROR_FILE_CORRUPTED; - } - -+ // Point to the next item at the top of loop -+ buf += diff; -+ - nsZipItem* item = CreateZipItem(); - if (!item) - return NS_ERROR_OUT_OF_MEMORY; -@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN - uint32_t len = mFd->mLen; - const uint8_t* data = mFd->mFileData; - uint32_t offset = aItem->LocalOffset(); -- if (offset + ZIPLOCAL_SIZE > len) -+ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) - return nullptr; - - // -- check signature before using the structure, in case the zip file is corrupt -@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN - xtoint(Local->extrafield_len); - - // -- check if there is enough source data in the file -- if (offset + aItem->Size() > len) -+ if (len < aItem->Size() || -+ offset > len - aItem->Size()) - return nullptr; - - return data + offset; --- -2.4.3 - |