Bug 1215319 - zip archive fix part 2 r=dragana
authorPatrick McManus <mcmanus@ducksong.com>
Mon, 23 May 2016 17:06:44 -0400
changeset 337775 a73b559073f5dce3cccc56cb5ff48f27f2b4d41b
parent 337774 f37493706dd7f176aef13f699e82901fdc1b635d
child 337776 195c5c59958883a19851ddf5a3016fecf6fb034e
push id6249
push userjlund@mozilla.com
push dateMon, 01 Aug 2016 13:59:36 +0000
treeherdermozilla-beta@bad9d4f5bf7e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdragana
bugs1215319
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1215319 - zip archive fix part 2 r=dragana
modules/libjar/nsZipArchive.cpp
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -715,18 +715,19 @@ MOZ_WIN_MEM_TRY_BEGIN
   // avoid overflow of startp + centralOffset.
   if (buf < startp) {
     nsZipArchive::sFileCorruptedReason = "nsZipArchive: overflow looking for central directory";
     return NS_ERROR_FILE_CORRUPTED;
   }
 
   //-- Read the central directory headers
   uint32_t sig = 0;
-  while (buf + int32_t(sizeof(uint32_t)) <= endp &&
-         (sig = xtolong(buf)) == CENTRALSIG) {
+  while ((buf + int32_t(sizeof(uint32_t)) > buf) &&
+         (buf + int32_t(sizeof(uint32_t)) <= endp) &&
+         ((sig = xtolong(buf)) == CENTRALSIG)) {
     // Make sure there is enough data available.
     if ((buf > endp) || (endp - buf < ZIPCENTRAL_SIZE)) {
       nsZipArchive::sFileCorruptedReason = "nsZipArchive: central directory too small";
       return NS_ERROR_FILE_CORRUPTED;
     }
 
     // Read the fixed-size data.
     ZipCentral* central = (ZipCentral*)buf;