nss/sign-sprintf-check.patch

diff -up ./nss/cmd/signtool/sign.c.org ./nss/cmd/signtool/sign.c
--- ./nss/cmd/signtool/sign.c.org	2018-01-18 15:19:59.000000000 +0100
+++ ./nss/cmd/signtool/sign.c	2018-01-29 22:46:32.599450048 +0100
@@ -83,7 +83,12 @@ SignArchive(char *tree, char *keyName, c
         /* rsa/dsa to zip */
         sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
                                                                    : "rsa"));
-        sprintf(fullfn, "%s/%s", tree, tempfn);
+        if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+            PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+                       tree);
+            errorCount++;
+            exit(ERRX);
+        }
         JzipAdd(fullfn, tempfn, zipfile, compression_level);
 
         /* Loop through all files & subdirectories, add to archive */
@@ -93,12 +98,22 @@ SignArchive(char *tree, char *keyName, c
     }
     /* mf to zip */
     strcpy(tempfn, "META-INF/manifest.mf");
-    sprintf(fullfn, "%s/%s", tree, tempfn);
+    if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+        PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+                   tree);
+        errorCount++;
+        exit(ERRX);
+    }
     JzipAdd(fullfn, tempfn, zipfile, compression_level);
 
     /* sf to zip */
     sprintf(tempfn, "META-INF/%s.sf", base);
-    sprintf(fullfn, "%s/%s", tree, tempfn);
+    if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+        PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+                   tree);
+        errorCount++;
+        exit(ERRX);
+    }
     JzipAdd(fullfn, tempfn, zipfile, compression_level);
 
     /* Add the rsa/dsa file to the zip archive normally */
@@ -106,7 +121,12 @@ SignArchive(char *tree, char *keyName, c
         /* rsa/dsa to zip */
         sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
                                                                    : "rsa"));
-        sprintf(fullfn, "%s/%s", tree, tempfn);
+        if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+            PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+                       tree);
+            errorCount++;
+            exit(ERRX);
+        }
         JzipAdd(fullfn, tempfn, zipfile, compression_level);
     }
Fix a compiler error with gcc 8, mozbz#1434070 2018-01-29 21:58:11 +00:00			`diff -up ./nss/cmd/signtool/sign.c.org ./nss/cmd/signtool/sign.c`
			`--- ./nss/cmd/signtool/sign.c.org 2018-01-18 15:19:59.000000000 +0100`
			`+++ ./nss/cmd/signtool/sign.c 2018-01-29 22:46:32.599450048 +0100`
			`@@ -83,7 +83,12 @@ SignArchive(char tree, char keyName, c`
			`/* rsa/dsa to zip */`
			`sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"`
			`: "rsa"));`
			`- sprintf(fullfn, "%s/%s", tree, tempfn);`
			`+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {`
			`+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",`
			`+ tree);`
			`+ errorCount++;`
			`+ exit(ERRX);`
			`+ }`
			`JzipAdd(fullfn, tempfn, zipfile, compression_level);`

			`/* Loop through all files & subdirectories, add to archive */`
			`@@ -93,12 +98,22 @@ SignArchive(char tree, char keyName, c`
			`}`
			`/* mf to zip */`
			`strcpy(tempfn, "META-INF/manifest.mf");`
			`- sprintf(fullfn, "%s/%s", tree, tempfn);`
			`+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {`
			`+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",`
			`+ tree);`
			`+ errorCount++;`
			`+ exit(ERRX);`
			`+ }`
			`JzipAdd(fullfn, tempfn, zipfile, compression_level);`

			`/* sf to zip */`
			`sprintf(tempfn, "META-INF/%s.sf", base);`
			`- sprintf(fullfn, "%s/%s", tree, tempfn);`
			`+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {`
			`+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",`
			`+ tree);`
			`+ errorCount++;`
			`+ exit(ERRX);`
			`+ }`
			`JzipAdd(fullfn, tempfn, zipfile, compression_level);`

			`/* Add the rsa/dsa file to the zip archive normally */`
			`@@ -106,7 +121,12 @@ SignArchive(char tree, char keyName, c`
			`/* rsa/dsa to zip */`
			`sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"`
			`: "rsa"));`
			`- sprintf(fullfn, "%s/%s", tree, tempfn);`
			`+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {`
			`+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",`
			`+ tree);`
			`+ errorCount++;`
			`+ exit(ERRX);`
			`+ }`
			`JzipAdd(fullfn, tempfn, zipfile, compression_level);`
			`}`