Fix possible buffer overruns. Bug 273737, patch by Tim Ruehsen

<tim.ruehsen@gmx.de>, r=bsmedberg, sr=dveditz git-svn-id: svn://10.0.0.236/trunk@167706 18797224-902f-48f8-a5cc-f745e15eee43
2005-01-14 04:56:18 +00:00 · 2005-01-14 04:56:18 +00:00 · 976aa49f15
commit 976aa49f15
parent 7cb9d1c1f8
1 changed files with 38 additions and 18 deletions
--- a/mozilla/xpinstall/wizard/unix/src2/nsZipExtractor.cpp
+++ b/mozilla/xpinstall/wizard/unix/src2/nsZipExtractor.cpp
@ -63,7 +63,7 @@ int
 nsZipExtractor::Extract(nsComponent *aXPIEngine, int aTotal)
 {
    DUMP("Extract");
-   
+
    char apath[MAXPATHLEN]; /* archive path */
    char bindir[512];
    char zpath[MAXPATHLEN]; /* path of file in zip archive */
@ -72,16 +72,20 @@ nsZipExtractor::Extract(nsComponent *aXPIEngine, int aTotal)
    struct stat dummy;
    int i, bFoundAll = FALSE, err = OK;
    PRInt32 zerr = ZIP_OK;
+    PRUint32 len;
    void *hZip = NULL, *hFind = NULL;

    if (!aXPIEngine || !(aXPIEngine->GetArchive()))
        return E_PARAM;

-    sprintf(apath, "%s/%s", mSrc, aXPIEngine->GetArchive());
+    len=snprintf(apath,sizeof(apath),"%s/%s", mSrc, aXPIEngine->GetArchive());
+    if ( len >= sizeof(apath) )
+        return E_PARAM; /* this should be something like E_PATH_TOO_LONG */
+
    if (-1 == stat(apath, &dummy))
        return E_NO_DOWNLOAD;

-    /* initialize archive etc. 
+    /* initialize archive etc.
     */
    zerr = ZIP_OpenArchive(apath, &hZip);
    if (zerr != ZIP_OK) return E_EXTRACTION;
@ -92,7 +96,7 @@ nsZipExtractor::Extract(nsComponent *aXPIEngine, int aTotal)
        goto au_revoir;
    }

-    /* extract files 
+    /* extract files
     */
    i = 0;
    while (!bFoundAll)
@ -126,10 +130,15 @@ nsZipExtractor::Extract(nsComponent *aXPIEngine, int aTotal)
        /* update UI
         */
        if (gCtx->opt->mMode != nsXIOptions::MODE_SILENT)
-            nsInstallDlg::MajorProgressCB(leaf, i, 
+            nsInstallDlg::MajorProgressCB(leaf, i,
                aTotal, nsInstallDlg::ACT_EXTRACT);

-        sprintf(epath, "%s/%s", mDest, zpath);
+        len=snprintf(epath,sizeof(epath),"%s/%s", mDest, zpath);
+        if ( len >= sizeof(apath) )
+        {
+            err = E_PARAM; /* this should be something like E_PATH_TOO_LONG */
+            goto au_revoir;
+        }
        err = DirCreateRecursive(epath);
        if (err != OK) goto au_revoir;

@ -142,8 +151,14 @@ nsZipExtractor::Extract(nsComponent *aXPIEngine, int aTotal)

        i++;
    }
-    
-    sprintf(bindir, "%s/%s", mDest, TMP_EXTRACT_SUBDIR);
+
+    len=snprintf(bindir,sizeof(bindir),"%s/%s", mDest, TMP_EXTRACT_SUBDIR);
+    if ( len >= sizeof(bindir) )
+    {
+        err = E_PARAM; /* this should be something like E_PATH_TOO_LONG */
+        goto au_revoir;
+    }
+
    if (-1 == stat(bindir, &dummy))
        err = E_EXTRACTION;

@ -160,11 +175,12 @@ au_revoir:
 int
 nsZipExtractor::DirCreateRecursive(char *aPath)
 {
+    PRUint32 len;
    int err = OK;
-    char *slash = NULL, *pathpos = NULL;
+    char *slash = NULL;
    char currdir[MAXPATHLEN];
    struct stat dummy;
-    
+
    if (!aPath || !mDest)
        return E_PARAM;

@ -174,15 +190,19 @@ nsZipExtractor::DirCreateRecursive(char *aPath)

    while (slash)
    {
-        memset(currdir, 0, MAXPATHLEN);
-        strncpy(currdir, aPath, slash - aPath);
-        
+        len = slash - aPath;
+        if (len >= sizeof(currdir)) return E_PARAM; // should not happen, just being defensive
+
+        snprintf(currdir,len+1,"%s",aPath);
+
        if (-1 == stat(currdir, &dummy))
-            mkdir(currdir, 0755);
-        
-        pathpos = slash;
-        slash = strchr(pathpos+1, '/');
-    }   
+        {
+            if (-1 == mkdir(currdir, 0755))
+                return E_MKDIR_FAIL;
+        }
+
+        slash = strchr(slash+1, '/');
+    }

    return err;
 }