From b1dfdbc2197c2567cc34ecfecc98da3a18fe9e45 Mon Sep 17 00:00:00 2001
From: Alfred Kayser <alfredkayser@gmail.com>
Date: Mon, 25 Jan 2010 10:21:49 +0100
Subject: [PATCH] Bug 541828: crash in BuildFileList (r=tglek)

---
 modules/libjar/nsZipArchive.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
index 0d3c6390542..74e94feec18 100644
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -538,6 +538,8 @@ nsresult nsZipArchive::BuildFileList()
 
   //-- Read the central directory headers
   buf = startp + centralOffset;
+  if (endp - buf < sizeof(PRUint32))
+      return NS_ERROR_FILE_CORRUPTED;
   PRUint32 sig = xtolong(buf);
   while (sig == CENTRALSIG) {
     // Make sure there is enough data available.