summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2020-06-18 19:05:19 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2020-06-18 19:05:19 +0200
commit1fc9388c0d965beb1930544f793b4d56410d3c96 (patch)
tree7a5659dc6b50402847516f8f37e548b845c61148
parentfa497bec6173ec0088412d409ff8590206a13ba0 (diff)
src/file_asf.c: stricter check in header_check_asf()
-rw-r--r--src/file_asf.c47
1 files changed, 28 insertions, 19 deletions
diff --git a/src/file_asf.c b/src/file_asf.c
index 8f96d2a..a9a7650 100644
--- a/src/file_asf.c
+++ b/src/file_asf.c
@@ -66,24 +66,29 @@ struct asf_stream_prop_s {
unsigned char stream_type[16];
} __attribute__ ((gcc_struct, __packed__));
+static const char *extension_wma="wma";
+static const char *extension_wmv="wmv";
+
static int header_check_asf(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
{
const struct asf_header_obj_s *hdr=(const struct asf_header_obj_s*)buffer;
- unsigned int i;
- const struct asf_file_prop_s *prop=(const struct asf_file_prop_s*)(hdr+1);
+ const char *extension=file_hint_asf.extension;
+ const unsigned int nbr_header_obj=le32(hdr->nbr_header_obj);
uint64_t size=0;
time_t time=0;
- const char *extension=file_hint_asf.extension;
+ unsigned int i;
+ uint64_t offset_prop=sizeof(struct asf_header_obj_s);
/* Header + File Properties + Stream Properties + Header Extension */
if(le64(hdr->object_size)<30 ||
le64(hdr->object_size)>buffer_size ||
- le32(hdr->nbr_header_obj)<4)
+ nbr_header_obj<4)
return 0;
for(i=0;
- i<le32(hdr->nbr_header_obj) &&
- (const unsigned char *)prop+0x28 < buffer + buffer_size;
- i++, prop=(const struct asf_file_prop_s *)((const char *)prop + le64(prop->object_size)))
+ i < nbr_header_obj && offset_prop + 0x28 < buffer_size;
+ i++)
{
+ const struct asf_file_prop_s *prop=(const struct asf_file_prop_s*)&buffer[offset_prop];
+ const uint64_t object_size=le64(prop->object_size);
// ASF_File_Properties_Object // 8CABDCA1-A947-11CF-8EE4-00C00C205365
// ASF_Stream_Properties_Object // B7DC0791-A9B7-11CF-8EE6-00C00C205365
static const unsigned char asf_file_prop_id[16]= {
@@ -94,18 +99,20 @@ static int header_check_asf(const unsigned char *buffer, const unsigned int buff
0x91, 0x07, 0xdc, 0xb7, 0xb7, 0xa9, 0xcf, 0x11,
0x8e, 0xe6, 0x00, 0xc0, 0x0c, 0x20, 0x53, 0x65
};
- if(le64(prop->object_size) < 0x18)
+ if(object_size < 0x18)
{
- log_info("header_check_asf object_size too small %llu\n", (long long unsigned)le64(prop->object_size));
+ log_info("header_check_asf object_size too small %llu\n", (long long unsigned)object_size);
return 0;
}
+ if(object_size > 0x8000000000000000)
+ return 0;
if(memcmp(prop->object_id, asf_file_prop_id, sizeof(asf_file_prop_id))==0)
{
- if(le64(prop->object_size) < 0x28)
- return 0;
- if(le64(prop->file_size) < sizeof(struct asf_header_obj_s) + sizeof(struct asf_file_prop_s))
+ if(object_size < 0x28)
return 0;
size=le64(prop->file_size);
+ if(size < sizeof(struct asf_header_obj_s) + sizeof(struct asf_file_prop_s))
+ return 0;
time=td_ntfs2utc(le64(prop->file_date));
}
else if(memcmp(prop->object_id, asf_stream_prop_s, sizeof(asf_stream_prop_s))==0)
@@ -117,25 +124,27 @@ static int header_check_asf(const unsigned char *buffer, const unsigned int buff
const char wmv[16]={
0xc0, 0xef, 0x19, 0xbc, 0x4d, 0x5b, 0xcf, 0x11, 0xa8, 0xfd, 0x00, 0x80, 0x5f, 0x5c, 0x44, 0x2b
};
- if(le64(prop->object_size) < 0x28)
+ if(object_size < 0x28)
return 0;
if(memcmp(stream->stream_type, wma, sizeof(wma))==0)
- extension="wma";
+ extension=extension_wma;
else if(memcmp(stream->stream_type, wmv, sizeof(wmv))==0)
- extension="wmv";
+ extension=extension_wmv;
}
- if(le64(prop->object_size) > buffer_size)
- break;
+ offset_prop+=object_size;
}
+ if(size > 0 && size < offset_prop)
+ return 0;
reset_file_recovery(file_recovery_new);
file_recovery_new->extension=extension;
+ file_recovery_new->min_filesize=offset_prop;
+ file_recovery_new->time=time;
if(size > 0)
{
- file_recovery_new->calculated_file_size=le64(size);
+ file_recovery_new->calculated_file_size=size;
file_recovery_new->data_check=&data_check_size;
file_recovery_new->file_check=&file_check_size;
}
- file_recovery_new->time=time;
return 1;
}