summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-2735.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2735.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2735.patch86
1 files changed, 0 insertions, 86 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch
deleted file mode 100644
index fd39bde113..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2735.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Thu, 4 Jun 2015 15:04:10 +0100
-Subject: [PATCH] Bug 1166900 - Better string length check in
- nsZipArchive::GetDataOffset. r+a=dveditz
-
----
- dom/file/ArchiveZipFile.cpp     |  6 ++++--
- modules/libjar/nsZipArchive.cpp | 15 +++++++++------
- 2 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
-index c206b64..d28b5ba 100644
---- a/dom/file/ArchiveZipFile.cpp
-+++ b/dom/file/ArchiveZipFile.cpp
-@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
-   uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
- 
-   // The file is corrupt
--  if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
-+  if (mData.parentSize < ZIPLOCAL_SIZE ||
-+      offset > mData.parentSize - ZIPLOCAL_SIZE) {
-     return NS_ERROR_UNEXPECTED;
-   }
- 
-@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
-             ArchiveZipItem::StrToInt16(local.extrafield_len);
- 
-   // The file is corrupt if there is not enough data
--  if (offset + mData.sizeToBeRead > mData.parentSize) {
-+  if (mData.parentSize < mData.sizeToBeRead ||
-+      offset > mData.parentSize - mData.sizeToBeRead) {
-     return NS_ERROR_UNEXPECTED;
-   }
- 
-diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
-index f8af715..5ec8225 100644
---- a/modules/libjar/nsZipArchive.cpp
-+++ b/modules/libjar/nsZipArchive.cpp
-@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
-     uint16_t namelen = xtoint(central->filename_len);
-     uint16_t extralen = xtoint(central->extrafield_len);
-     uint16_t commentlen = xtoint(central->commentfield_len);
--
--    // Point to the next item at the top of loop
--    buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
-+    uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
- 
-     // Sanity check variable sizes and refuse to deal with
-     // anything too big: it's likely a corrupt archive.
-     if (namelen < 1 ||
-         namelen > kMaxNameLength ||
--        buf >= endp) {
-+        buf >= buf + diff || // No overflow
-+        buf >= endp - diff) {
-       return NS_ERROR_FILE_CORRUPTED;
-     }
- 
-+    // Point to the next item at the top of loop
-+    buf += diff;
-+
-     nsZipItem* item = CreateZipItem();
-     if (!item)
-       return NS_ERROR_OUT_OF_MEMORY;
-@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
-   uint32_t len = mFd->mLen;
-   const uint8_t* data = mFd->mFileData;
-   uint32_t offset = aItem->LocalOffset();
--  if (offset + ZIPLOCAL_SIZE > len)
-+  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
-     return nullptr;
- 
-   // -- check signature before using the structure, in case the zip file is corrupt
-@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
-             xtoint(Local->extrafield_len);
- 
-   // -- check if there is enough source data in the file
--  if (offset + aItem->Size() > len)
-+  if (len < aItem->Size() ||
-+      offset > len - aItem->Size())
-     return nullptr;
- 
-   return data + offset;
--- 
-2.4.3
-