Bug 541828: crash in BuildFileList (r=tglek)
authorAlfred Kayser <alfredkayser@gmail.com>
Mon, 25 Jan 2010 10:21:49 +0100
changeset 37464 4be473b81462adad6dd9b282d96a13cf41db2e41
parent 37463 8d563161748b94276df43e0565928d460bcb77e9
child 37465 5412edab749793dc3b88042979aadd998c9c48d9
push id11318
push useralfredkayser@gmail.com
push dateMon, 25 Jan 2010 09:22:16 +0000
treeherdermozilla-central@4be473b81462 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstglek
bugs541828
milestone1.9.3a1pre
Bug 541828: crash in BuildFileList (r=tglek)
modules/libjar/nsZipArchive.cpp
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -533,16 +533,18 @@ nsresult nsZipArchive::BuildFileList()
       // of the end signature.  File must be corrupted!
       return NS_ERROR_FILE_CORRUPTED;
     }
   }
   PRUint32 centralOffset = xtolong(((ZipEnd *)buf)->offset_central_dir);
 
   //-- Read the central directory headers
   buf = startp + centralOffset;
+  if (endp - buf < sizeof(PRUint32))
+      return NS_ERROR_FILE_CORRUPTED;
   PRUint32 sig = xtolong(buf);
   while (sig == CENTRALSIG) {
     // Make sure there is enough data available.
     if (endp - buf < ZIPCENTRAL_SIZE)
       return NS_ERROR_FILE_CORRUPTED;
 
     // Read the fixed-size data.
     ZipCentral* central = (ZipCentral*)buf;