diff options
| author | janekptacijarabaci <janekptacijarabaci@seznam.cz> | 2018-03-27 15:57:18 +0200 |
|---|---|---|
| committer | janekptacijarabaci <janekptacijarabaci@seznam.cz> | 2018-03-27 15:57:18 +0200 |
| commit | d990d8ab2cade6c928e8bbe56ae038d020cef599 (patch) | |
| tree | c7561ae0f303cb0d4a7a7507178531b4852e4dea /security/nss/lib/dbm | |
| parent | 0c36b27511c1fbca594f0426c493ef601fda3e4c (diff) | |
| parent | 8d5ec757ece850fb7ad5c712868f305636e41177 (diff) | |
| download | UXP-d990d8ab2cade6c928e8bbe56ae038d020cef599.tar UXP-d990d8ab2cade6c928e8bbe56ae038d020cef599.tar.gz UXP-d990d8ab2cade6c928e8bbe56ae038d020cef599.tar.lz UXP-d990d8ab2cade6c928e8bbe56ae038d020cef599.tar.xz UXP-d990d8ab2cade6c928e8bbe56ae038d020cef599.zip | |
Merge branch 'master' of https://github.com/MoonchildProductions/UXP into js_array_values_1
Diffstat (limited to 'security/nss/lib/dbm')
| -rw-r--r-- | security/nss/lib/dbm/src/h_page.c | 15 | ||||
| -rw-r--r-- | security/nss/lib/dbm/src/hash.c | 3 |
2 files changed, 16 insertions, 2 deletions
diff --git a/security/nss/lib/dbm/src/h_page.c b/security/nss/lib/dbm/src/h_page.c index bf1252aeb..e5623224b 100644 --- a/security/nss/lib/dbm/src/h_page.c +++ b/security/nss/lib/dbm/src/h_page.c @@ -426,6 +426,9 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp, last_bfp = NULL; scopyto = (uint16)copyto; /* ANSI */ + if (ino[0] < 1) { + return DATABASE_CORRUPTED_ERROR; + } n = ino[0] - 1; while (n < ino[0]) { @@ -463,7 +466,13 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp, * Fix up the old page -- the extra 2 are the fields * which contained the overflow information. */ + if (ino[0] < (moved + 2)) { + return DATABASE_CORRUPTED_ERROR; + } ino[0] -= (moved + 2); + if (scopyto < sizeof(uint16) * (ino[0] + 3)) { + return DATABASE_CORRUPTED_ERROR; + } FREESPACE(ino) = scopyto - sizeof(uint16) * (ino[0] + 3); OFFSET(ino) = scopyto; @@ -486,8 +495,14 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp, for (n = 1; (n < ino[0]) && (ino[n + 1] >= REAL_KEY); n += 2) { cino = (char *)ino; key.data = (uint8 *)cino + ino[n]; + if (off < ino[n]) { + return DATABASE_CORRUPTED_ERROR; + } key.size = off - ino[n]; val.data = (uint8 *)cino + ino[n + 1]; + if (ino[n] < ino[n + 1]) { + return DATABASE_CORRUPTED_ERROR; + } val.size = ino[n] - ino[n + 1]; off = ino[n + 1]; diff --git a/security/nss/lib/dbm/src/hash.c b/security/nss/lib/dbm/src/hash.c index b80aad4d3..98b1c07c7 100644 --- a/security/nss/lib/dbm/src/hash.c +++ b/security/nss/lib/dbm/src/hash.c @@ -704,8 +704,7 @@ hash_put( return (DBM_ERROR); } - rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW - : HASH_PUT, + rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW : HASH_PUT, (DBT *)key, (DBT *)data); if (rv == DATABASE_CORRUPTED_ERROR) { |