VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 29, 2002· Updated Jun 16, 2026

CVE-2002-1308

CVE-2002-1308

Description

Heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL that references a malformed .jar file, which overflows a buffer during decompression.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

13
  • Mozilla Corporation/Mozilla8 versions
    cpe:2.3:a:mozilla:mozilla:0.9.6:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:a:mozilla:mozilla:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.1:*:*:*:*:*:*:*
    • (no CPE)
  • Netscape/Navigator5 versions
    cpe:2.3:a:netscape:navigator:6.2:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:netscape:navigator:6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:netscape:navigator:6.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:netscape:navigator:6.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:netscape:navigator:6.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:netscape:navigator:7.0:*:*:*:*:*:*:*

Patches

Vulnerability mechanics

Root cause

"The decompression loop in `InflateItem` copies data into a heap buffer sized by the ZIP entry's `realsize` field without verifying that the actual decompressed output fits, enabling a heap-based buffer overflow."

Attack vector

An attacker crafts a malformed `.jar` file where the stored `realsize` field is smaller than the actual decompressed data (e.g., patching the size from 24 to 1). When a victim opens a `jar:` URL pointing to this file, the browser allocates a heap buffer based on the forged `realsize` and then decompresses the entry, writing far more data than allocated. This heap-based buffer overflow [CWE-122] can overwrite adjacent heap metadata or function pointers, leading to arbitrary code execution.

Affected code

The vulnerability resides in `mozilla/modules/libjar/nsZipArchive.cpp` in the `InflateItem` function. The heap overflow occurs at the `memcpy` call around line 1387, where the decompressed data is copied into a buffer allocated using the `realsize` value from the ZIP entry without verifying that the actual decompressed output fits within that buffer. A patch was applied that adds a bounds check before the `memcpy` and returns `ZIP_ERR_CORRUPT` on overflow.

What the fix does

The patch replaces a bare `PR_ASSERT` (which is a no-op in release builds) with a proper runtime bounds check: if `outpos + ZIP_BUFLEN` exceeds `bigBufSize`, the code sets `status = ZIP_ERR_CORRUPT` and breaks out of the loop instead of performing the `memcpy`. This ensures that even if the ZIP entry advertises a smaller `realsize` than the actual decompressed output, the copy is safely aborted and the archive is treated as corrupt.

Preconditions

  • configThe victim must use a vulnerable version of Netscape or Mozilla that processes `jar:` URLs.
  • networkThe attacker must host a crafted `.jar` file on an HTTP server accessible to the victim.
  • inputThe victim must navigate to a `jar:http://...!/filename` URL referencing the malicious archive.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.