int CVE_2014_1496_thunderbird3_1_20_PatchFile::Prepare() { LOG(("PREPARE PATCH %s\n", mFile)); // extract the patch to a temporary file mPatchIndex = sPatchIndex++; NS_tsnprintf(spath, sizeof(spath)/sizeof(spath[0]), NS_T("%s/%d.patch"), gSourcePath, mPatchIndex); NS_tremove(spath); FILE *fp = NS_tfopen(spath, NS_T("wb")); if (!fp) return WRITE_ERROR; int rv = gArchiveReader.ExtractFileToStream(mPatchFile, fp); fclose(fp); return rv; }
static void DoUpdate(NS_tchar *path) { NS_tchar spath[MAXPATHLEN]; NS_tchar dpath[MAXPATHLEN]; NS_tchar upstatus[MAXPATHLEN]; NS_tchar upparams[MAXPATHLEN]; NS_tchar sysdir[MAXPATHLEN]; NS_tchar msiexec[MAXPATHLEN]; NS_tsnprintf(spath, MAXPATHLEN, NS_T("%s/update.mar"), path); NS_tsnprintf(dpath, MAXPATHLEN, NS_T("%s/update.msi"), path); NS_tsnprintf(upstatus, MAXPATHLEN, NS_T("%s/update.status"), path); NS_tsnprintf(upparams, MAXPATHLEN, NS_T("%s/../../update.params"), path); GetSystemDirectory(sysdir, MAXPATHLEN); NS_tsnprintf(msiexec, MAXPATHLEN, NS_T("%s\\msiexec.exe"), sysdir); int rv = NS_taccess(spath, F_OK | R_OK | W_OK); if (rv != OK) { LOG(("failed: can't access update.mar (rv=%d)\n", rv)); NS_tremove(spath); NS_tremove(upstatus); return; } NS_tremove(dpath); rv = NS_trename(spath, dpath); if (rv != OK) { LOG(("failed: can't rename update.mar (rv=%d)\n", rv)); NS_tremove(spath); NS_tremove(upstatus); return; } WCharReplace(dpath, L'/', L'\\'); int largc = 3; NS_tchar* largv[16]; //16 being max largv[0] = msiexec; //first arg is the path to msiexec.exe largv[1] = NS_T("/i"); //second arg is the install-flag largv[2] = dpath; //third arg is the path to update.msi NS_tchar argbuf[MAXPATHLEN]; int start = 0; int end = 0; rv = NS_taccess(upparams, F_OK | R_OK); char buf[MAXPATHLEN]; if (rv == OK) { int fd = NS_topen(upparams, O_RDONLY | O_BINARY); if (fd >= 0) { int num = read(fd, buf, MAXPATHLEN - 1); if (num > 0) { buf[num] = '\0'; for (int i = 0; i <= num; ++i) { if (buf[i] != ' ' && buf[i] != '\n' && buf[i] != '\r' && buf[i] != '\0') argbuf[end++] = buf[i]; else if (end > start) { //we had an arg largv[largc++] = argbuf + start; argbuf[end++] = '\0'; start = end; } } } else LOG(("warn: can't read update.params\n")); } else LOG(("warn: can't open update.params\n")); } else LOG(("warn: can't access update.params (rv=%d)\n", rv)); //for (int i = 0; i < largc; ++i) // NS_tfprintf(stderr, NS_T("arg[%d]=%s\n"), i, largv[i]); LOG(("info: running %ls %ls %ls\n", largv[0], largv[1], largv[2])); LaunchApp(path, largc, largv); LOG(("succeeded\n")); //WriteStatusFile(path, rv); NS_tremove(upstatus); }