Bug 1215319 - zip archive fix part 2 r=dragana
authorPatrick McManus <mcmanus@ducksong.com>
Mon, 23 May 2016 17:06:44 -0400
changeset 298785 a73b559073f5
parent 298784 f37493706dd7
child 298786 195c5c599588
push id30285
push usercbook@mozilla.com
push dateWed, 25 May 2016 13:06:07 +0000
treeherdermozilla-central@d6d4e8417d2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdragana
bugs1215319
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1215319 - zip archive fix part 2 r=dragana
modules/libjar/nsZipArchive.cpp
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -715,18 +715,19 @@ MOZ_WIN_MEM_TRY_BEGIN
   // avoid overflow of startp + centralOffset.
   if (buf < startp) {
     nsZipArchive::sFileCorruptedReason = "nsZipArchive: overflow looking for central directory";
     return NS_ERROR_FILE_CORRUPTED;
   }
 
   //-- Read the central directory headers
   uint32_t sig = 0;
-  while (buf + int32_t(sizeof(uint32_t)) <= endp &&
-         (sig = xtolong(buf)) == CENTRALSIG) {
+  while ((buf + int32_t(sizeof(uint32_t)) > buf) &&
+         (buf + int32_t(sizeof(uint32_t)) <= endp) &&
+         ((sig = xtolong(buf)) == CENTRALSIG)) {
     // Make sure there is enough data available.
     if ((buf > endp) || (endp - buf < ZIPCENTRAL_SIZE)) {
       nsZipArchive::sFileCorruptedReason = "nsZipArchive: central directory too small";
       return NS_ERROR_FILE_CORRUPTED;
     }
 
     // Read the fixed-size data.
     ZipCentral* central = (ZipCentral*)buf;