Bug 1344461 - Keep track of line length to not read beyond eol. r=valentin a=gchang

--HG-- extra : source : 5ef67e15fd88a16025632e31ec1bb6519d2f4441
2025-11-10 21:28:04 +02:00 · 2017-03-20 18:23:18 -04:00 · 2017-03-20 18:23:18 -04:00 · 1611182cbc
commit 1611182cbc
parent ffb0ca0de0
2 changed files with 43 additions and 16 deletions
--- a/netwerk/streamconv/converters/nsDirIndexParser.cpp
+++ b/netwerk/streamconv/converters/nsDirIndexParser.cpp
@ -154,6 +154,7 @@ nsDirIndexParser::ParseFormat(const char* aFormatStr) {
  if (mFormat == nullptr)
    return NS_ERROR_OUT_OF_MEMORY;
  mFormat[num] = -1;
+  mFormat[0] = -1; // to detect zero header fields
  
  int formatNum=0;
  do {
@ -192,7 +193,8 @@ nsDirIndexParser::ParseFormat(const char* aFormatStr) {
 }

 nsresult
-nsDirIndexParser::ParseData(nsIDirIndex *aIdx, char* aDataStr) {
+nsDirIndexParser::ParseData(nsIDirIndex *aIdx, char* aDataStr, int32_t aLineLen)
+{
  // Parse a "201" data line, using the field ordering specified in
  // mFormat.

@ -202,37 +204,62 @@ nsDirIndexParser::ParseData(nsIDirIndex *aIdx, char* aDataStr) {
  }

  nsresult rv = NS_OK;
-
  nsAutoCString filename;
+  int32_t lineLen = aLineLen;
+
+  if (mFormat[0] == -1) {
+    // no known header fields is an error
+    return NS_ERROR_ILLEGAL_VALUE;
+  }

  for (int32_t i = 0; mFormat[i] != -1; ++i) {
-    // If we've exhausted the data before we run out of fields, just
-    // bail.
-    if (! *aDataStr)
-      break;
+    // If we've exhausted the data before we run out of fields, just bail.
+    if (!*aDataStr || (lineLen < 1)) {
+      return NS_ERROR_ILLEGAL_VALUE;
+    }

-    while (*aDataStr && nsCRT::IsAsciiSpace(*aDataStr))
+    while ((lineLen > 0) && nsCRT::IsAsciiSpace(*aDataStr)) {
      ++aDataStr;
+      --lineLen;
+    }
+
+    if (lineLen < 1) {
+      // invalid format, bail
+      return NS_ERROR_ILLEGAL_VALUE;
+    }

    char    *value = aDataStr;
-
    if (*aDataStr == '"' || *aDataStr == '\'') {
      // it's a quoted string. snarf everything up to the next quote character
      const char quotechar = *(aDataStr++);
+      lineLen--;
      ++value;
-      while (*aDataStr && *aDataStr != quotechar)
+      while ((lineLen > 0) && *aDataStr != quotechar) {
        ++aDataStr;
-      *aDataStr++ = '\0';
+        --lineLen;
+      }
+      if (lineLen > 0) {
+        *aDataStr++ = '\0';
+        --lineLen;
+      }

-      if (! aDataStr) {
-        NS_WARNING("quoted value not terminated");
+      if (!lineLen) {
+        // invalid format, bail
+        return NS_ERROR_ILLEGAL_VALUE;
      }
    } else {
      // it's unquoted. snarf until we see whitespace.
      value = aDataStr;
-      while (*aDataStr && (!nsCRT::IsAsciiSpace(*aDataStr)))
+      while ((lineLen > 0) && (!nsCRT::IsAsciiSpace(*aDataStr))) {
        ++aDataStr;
-      *aDataStr++ = '\0';
+        --lineLen;
+      }
+      if (lineLen > 0) {
+        *aDataStr++ = '\0';
+        --lineLen;
+      }
+      // even if we ran out of line length here, there's still a trailing zero
+      // byte afterwards
    }

    fieldType t = fieldType(mFormat[i]);
@ -404,7 +431,7 @@ nsDirIndexParser::ProcessData(nsIRequest *aRequest, nsISupports *aCtxt) {
            if (NS_FAILED(rv))
              return rv;
            
-            rv = ParseData(idx, ((char *)buf) + 4);
+            rv = ParseData(idx, ((char *)buf) + 4, lineLen - 4);
            if (NS_FAILED(rv)) {
              return rv;
            }
--- a/netwerk/streamconv/converters/nsDirIndexParser.h
+++ b/netwerk/streamconv/converters/nsDirIndexParser.h
@ -51,7 +51,7 @@ protected:

    nsresult ProcessData(nsIRequest *aRequest, nsISupports *aCtxt);
    nsresult ParseFormat(const char* buf);
-    nsresult ParseData(nsIDirIndex* aIdx, char* aDataStr);
+    nsresult ParseData(nsIDirIndex* aIdx, char* aDataStr, int32_t lineLen);

    struct Field {
        const char *mName;