Bug 1321814 - Check for path truncation. r=rstrong, a=gchang
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -3330,20 +3330,35 @@ int NS_main(int argc, NS_tchar **argv)
else
*d = *s;
++s;
++d;
} while (*s);
*d = NS_T('\0');
++d;
+ const size_t callbackBackupPathBufSize =
+ sizeof(gCallbackBackupPath)/sizeof(gCallbackBackupPath[0]);
+ const int callbackBackupPathLen =
+ NS_tsnprintf(gCallbackBackupPath, callbackBackupPathBufSize,
+ NS_T("%s" CALLBACK_BACKUP_EXT), argv[callbackIndex]);
+
+ if (callbackBackupPathLen < 0 ||
+ callbackBackupPathLen >= static_cast<int>(callbackBackupPathBufSize)) {
+ LOG(("NS_main: callback backup path truncated"));
+ LogFinish();
+ WriteStatusFile(USAGE_ERROR);
+
+ // Don't attempt to launch the callback when the callback path is
+ // longer than expected.
+ EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
+ return 1;
+ }
+
// Make a copy of the callback executable so it can be read when patching.
- NS_tsnprintf(gCallbackBackupPath,
- sizeof(gCallbackBackupPath)/sizeof(gCallbackBackupPath[0]),
- NS_T("%s" CALLBACK_BACKUP_EXT), argv[callbackIndex]);
NS_tremove(gCallbackBackupPath);
CopyFileW(argv[callbackIndex], gCallbackBackupPath, false);
// Since the process may be signaled as exited by WaitForSingleObject before
// the release of the executable image try to lock the main executable file
// multiple times before giving up. If we end up giving up, we won't
// fail the update.
const int max_retries = 10;