Merge commit '50d3e596bbe89c95615f96eb71f6bc5be737a1db' into Basilisk-releasev2018.07.18

# Conflicts: # browser/app/profile/firefox.js # browser/components/preferences/jar.mn
author: wolfbeast <mcwerewolf@gmail.com> 2018-07-18 08:24:24 +0200
committer: wolfbeast <mcwerewolf@gmail.com> 2018-07-18 08:24:24 +0200
commit: fc61780b35af913801d72086456f493f63197da6 (patch)
tree: f85891288a7bd988da9f0f15ae64e5c63f00d493 /security/nss/lib/dbm
parent: 69f7f9e5f1475891ce11cc4f431692f965b0cd30 (diff)
parent: 50d3e596bbe89c95615f96eb71f6bc5be737a1db (diff)
download: UXP-2018.07.18.tar
UXP-2018.07.18.tar.gz
UXP-2018.07.18.tar.lz
UXP-2018.07.18.tar.xz
UXP-2018.07.18.zip
2 files changed, 16 insertions, 2 deletions
diff --git a/security/nss/lib/dbm/src/h_page.c b/security/nss/lib/dbm/src/h_page.c
index bf1252aeb..e5623224b 100644
--- a/security/nss/lib/dbm/src/h_page.c
+++ b/security/nss/lib/dbm/src/h_page.c
@@ -426,6 +426,9 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp,
     last_bfp = NULL;
     scopyto = (uint16)copyto; /* ANSI */
 
+    if (ino[0] < 1) {
+        return DATABASE_CORRUPTED_ERROR;
+    }
     n = ino[0] - 1;
     while (n < ino[0]) {
 
@@ -463,7 +466,13 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp,
              * Fix up the old page -- the extra 2 are the fields
              * which contained the overflow information.
              */
+            if (ino[0] < (moved + 2)) {
+                return DATABASE_CORRUPTED_ERROR;
+            }
             ino[0] -= (moved + 2);
+            if (scopyto < sizeof(uint16) * (ino[0] + 3)) {
+                return DATABASE_CORRUPTED_ERROR;
+            }
             FREESPACE(ino) =
                 scopyto - sizeof(uint16) * (ino[0] + 3);
             OFFSET(ino) = scopyto;
@@ -486,8 +495,14 @@ ugly_split(HTAB *hashp, uint32 obucket, BUFHEAD *old_bufp,
         for (n = 1; (n < ino[0]) && (ino[n + 1] >= REAL_KEY); n += 2) {
             cino = (char *)ino;
             key.data = (uint8 *)cino + ino[n];
+            if (off < ino[n]) {
+                return DATABASE_CORRUPTED_ERROR;
+            }
             key.size = off - ino[n];
             val.data = (uint8 *)cino + ino[n + 1];
+            if (ino[n] < ino[n + 1]) {
+                return DATABASE_CORRUPTED_ERROR;
+            }
             val.size = ino[n] - ino[n + 1];
             off = ino[n + 1];
 
diff --git a/security/nss/lib/dbm/src/hash.c b/security/nss/lib/dbm/src/hash.c
index b80aad4d3..98b1c07c7 100644
--- a/security/nss/lib/dbm/src/hash.c
+++ b/security/nss/lib/dbm/src/hash.c
@@ -704,8 +704,7 @@ hash_put(
         return (DBM_ERROR);
     }
 
-    rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW
-                                                  : HASH_PUT,
+    rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW : HASH_PUT,
                      (DBT *)key, (DBT *)data);
 
     if (rv == DATABASE_CORRUPTED_ERROR) {
author	wolfbeast <mcwerewolf@gmail.com>	2018-07-18 08:24:24 +0200
committer	wolfbeast <mcwerewolf@gmail.com>	2018-07-18 08:24:24 +0200
commit	fc61780b35af913801d72086456f493f63197da6 (patch)
tree	f85891288a7bd988da9f0f15ae64e5c63f00d493 /security/nss/lib/dbm
parent	69f7f9e5f1475891ce11cc4f431692f965b0cd30 (diff)
parent	50d3e596bbe89c95615f96eb71f6bc5be737a1db (diff)
download	UXP-2018.07.18.tar UXP-2018.07.18.tar.gz UXP-2018.07.18.tar.lz UXP-2018.07.18.tar.xz UXP-2018.07.18.zip