Bug 1383000 - Fix UAF in nsJAR::GetInputStreamWithSpec. r=aklotz, a=gchang
authorTristan Bourvon <tbourvon@mozilla.com>
Fri, 21 Jul 2017 15:12:55 +0200
changeset 356180 ce65d0641c07af7f6ca4dee216d86fae7fa6fbb0
parent 356179 7e7b4f104462c4766a339afbccb908bcc5e7fac2
child 356181 8658b524ed6d7200c4ff91327a7e925d95e694c7
push id7236
push userryanvm@gmail.com
push dateMon, 31 Jul 2017 11:54:24 +0000
treeherdermozilla-esr52@8658b524ed6d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz, gchang
bugs1383000
milestone52.2.1
Bug 1383000 - Fix UAF in nsJAR::GetInputStreamWithSpec. r=aklotz, a=gchang MozReview-Commit-ID: 6g7wusTbLfN
modules/libjar/nsJAR.cpp
--- a/modules/libjar/nsJAR.cpp
+++ b/modules/libjar/nsJAR.cpp
@@ -320,29 +320,29 @@ nsJAR::GetInputStream(const nsACString &
 NS_IMETHODIMP
 nsJAR::GetInputStreamWithSpec(const nsACString& aJarDirSpec,
                           const nsACString &aEntryName, nsIInputStream** result)
 {
   NS_ENSURE_ARG_POINTER(result);
 
   // Watch out for the jar:foo.zip!/ (aDir is empty) top-level special case!
   nsZipItem *item = nullptr;
-  const char *entry = PromiseFlatCString(aEntryName).get();
-  if (*entry) {
+  const nsCString& entry = PromiseFlatCString(aEntryName);
+  if (*entry.get()) {
     // First check if item exists in jar
-    item = mZip->GetItem(entry);
+    item = mZip->GetItem(entry.get());
     if (!item) return NS_ERROR_FILE_TARGET_DOES_NOT_EXIST;
   }
   nsJARInputStream* jis = new nsJARInputStream();
   // addref now so we can call InitFile/InitDirectory()
   NS_ADDREF(*result = jis);
 
   nsresult rv = NS_OK;
   if (!item || item->IsDirectory()) {
-    rv = jis->InitDirectory(this, aJarDirSpec, entry);
+    rv = jis->InitDirectory(this, aJarDirSpec, entry.get());
   } else {
     rv = jis->InitFile(this, item);
   }
   if (NS_FAILED(rv)) {
     NS_RELEASE(*result);
   }
   return rv;
 }