Bug 1383000 - Fix UAF in nsJAR::GetInputStreamWithSpec. r=aklotz
authorTristan Bourvon <tbourvon@mozilla.com>
Fri, 21 Jul 2017 15:12:55 +0200
changeset 419481 22649352b9f4137bb410fcfffbd1c2fa5ca0659c
parent 419480 5fd23c6134b93c256a2bdca91eacc60b6c43c662
child 419482 0a60cc1983211905a5bc0aaf9e3414469add6b91
push id7566
push usermtabara@mozilla.com
push dateWed, 02 Aug 2017 08:25:16 +0000
treeherdermozilla-beta@86913f512c3c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz
bugs1383000
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1383000 - Fix UAF in nsJAR::GetInputStreamWithSpec. r=aklotz MozReview-Commit-ID: 6g7wusTbLfN
modules/libjar/nsJAR.cpp
--- a/modules/libjar/nsJAR.cpp
+++ b/modules/libjar/nsJAR.cpp
@@ -320,29 +320,29 @@ nsJAR::GetInputStream(const nsACString &
 NS_IMETHODIMP
 nsJAR::GetInputStreamWithSpec(const nsACString& aJarDirSpec,
                           const nsACString &aEntryName, nsIInputStream** result)
 {
   NS_ENSURE_ARG_POINTER(result);
 
   // Watch out for the jar:foo.zip!/ (aDir is empty) top-level special case!
   nsZipItem *item = nullptr;
-  const char *entry = PromiseFlatCString(aEntryName).get();
-  if (*entry) {
+  const nsCString& entry = PromiseFlatCString(aEntryName);
+  if (*entry.get()) {
     // First check if item exists in jar
-    item = mZip->GetItem(entry);
+    item = mZip->GetItem(entry.get());
     if (!item) return NS_ERROR_FILE_TARGET_DOES_NOT_EXIST;
   }
   nsJARInputStream* jis = new nsJARInputStream();
   // addref now so we can call InitFile/InitDirectory()
   NS_ADDREF(*result = jis);
 
   nsresult rv = NS_OK;
   if (!item || item->IsDirectory()) {
-    rv = jis->InitDirectory(this, aJarDirSpec, entry);
+    rv = jis->InitDirectory(this, aJarDirSpec, entry.get());
   } else {
     rv = jis->InitFile(this, item);
   }
   if (NS_FAILED(rv)) {
     NS_RELEASE(*result);
   }
   return rv;
 }