diff options
Diffstat (limited to 'security/nss')
| -rw-r--r-- | security/nss/lib/jar/jarfile.c | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c index fc3ed2ae9..9ba5902e6 100644 --- a/security/nss/lib/jar/jarfile.c +++ b/security/nss/lib/jar/jarfile.c @@ -360,7 +360,8 @@ static int jar_physical_inflate unsigned long prev_total, ochunk, tin; - if ((inbuf = (char *) PORT_ZAlloc (ICHUNK)) == NULL) + /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */ + if ((inbuf = (char *) PORT_ZAlloc (ICHUNK + 1)) == NULL) return JAR_ERR_MEMORY; if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL) @@ -400,6 +401,12 @@ static int jar_physical_inflate at += chunk; + if (at == length) + { + /* add an extra dummy byte at the end */ + inbuf[chunk++] = 0xDD; + } + zs.next_in = (Bytef *) inbuf; zs.avail_in = chunk; zs.avail_out = OCHUNK; @@ -676,17 +683,16 @@ static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext) continue; } - if (phy->length == 0) + if (phy->length == 0 || phy->length > 0xFFFF) { - /* manifest files cannot be zero length! */ + /* manifest files cannot be zero length or too big! */ + /* the 0xFFFF limit is per J2SE SDK */ return JAR_ERR_CORRUPT; } /* Read in the manifest and parse it */ - /* limit is per J2SE SDK */ - if (phy->length <= 0xFFFF) { - manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1); - } + /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */ + manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1); if (manifest) { JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0); @@ -702,6 +708,8 @@ static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext) if (phy->compression == 8) { length = phy->length; + /* add an extra dummy byte at the end */ + manifest[length++] = 0xDD; status = jar_inflate_memory ((unsigned int) phy->compression, &length, phy->uncompressed_length, &manifest); |