diff options
| author | Christophe Grenier <grenier@cgsecurity.org> | 2019-08-05 22:45:12 +0200 |
|---|---|---|
| committer | Christophe Grenier <grenier@cgsecurity.org> | 2019-08-05 22:45:12 +0200 |
| commit | 20d96c6668052fddd0169706dbc05d1fb7ada17c (patch) | |
| tree | daf7dad80ad14b9bb099bca19d8100b1c96e07b9 | |
| parent | 0a3650d64eff0641f5e33a761384031a45e79f25 (diff) | |
PhotoRec: add bound check while parsing ico files
| -rw-r--r-- | src/file_ico.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/src/file_ico.c b/src/file_ico.c index 03bebb3..af2ae41 100644 --- a/src/file_ico.c +++ b/src/file_ico.c @@ -33,7 +33,6 @@ #include "log.h" static void register_header_check_ico(file_stat_t *file_stat); -static int header_check_ico(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new); const file_hint_t file_hint_ico= { .extension="ico", @@ -54,20 +53,6 @@ static const unsigned char header_ico7[6]= {0x00 , 0x00, 0x01, 0x00, 0x07, 0x00} static const unsigned char header_ico8[6]= {0x00 , 0x00, 0x01, 0x00, 0x08, 0x00}; static const unsigned char header_ico9[6]= {0x00 , 0x00, 0x01, 0x00, 0x09, 0x00}; - -static void register_header_check_ico(file_stat_t *file_stat) -{ - register_header_check(0, header_ico1, sizeof(header_ico1), &header_check_ico, file_stat); - register_header_check(0, header_ico2, sizeof(header_ico2), &header_check_ico, file_stat); - register_header_check(0, header_ico3, sizeof(header_ico3), &header_check_ico, file_stat); - register_header_check(0, header_ico4, sizeof(header_ico4), &header_check_ico, file_stat); - register_header_check(0, header_ico5, sizeof(header_ico5), &header_check_ico, file_stat); - register_header_check(0, header_ico6, sizeof(header_ico6), &header_check_ico, file_stat); - register_header_check(0, header_ico7, sizeof(header_ico7), &header_check_ico, file_stat); - register_header_check(0, header_ico8, sizeof(header_ico8), &header_check_ico, file_stat); - register_header_check(0, header_ico9, sizeof(header_ico9), &header_check_ico, file_stat); -} - /* * http://en.wikipedia.org/wiki/ICO_(icon_image_file_format) */ @@ -103,7 +88,7 @@ static int header_check_ico(const unsigned char *buffer, const unsigned int buff if(le16(ico->reserved)!=0 || le16(ico->type)!=1 || le16(ico->count)==0) return 0; for(i=0, ico_dir=(const struct ico_directory*)(ico+1); - i<le16(ico->count); + (const unsigned char *)(ico_dir+1) <= buffer+buffer_size && i<le16(ico->count); i++, ico_dir++) { #ifdef DEBUG_ICO @@ -157,3 +142,16 @@ static int header_check_ico(const unsigned char *buffer, const unsigned int buff file_recovery_new->file_check=&file_check_size; return 1; } + +static void register_header_check_ico(file_stat_t *file_stat) +{ + register_header_check(0, header_ico1, sizeof(header_ico1), &header_check_ico, file_stat); + register_header_check(0, header_ico2, sizeof(header_ico2), &header_check_ico, file_stat); + register_header_check(0, header_ico3, sizeof(header_ico3), &header_check_ico, file_stat); + register_header_check(0, header_ico4, sizeof(header_ico4), &header_check_ico, file_stat); + register_header_check(0, header_ico5, sizeof(header_ico5), &header_check_ico, file_stat); + register_header_check(0, header_ico6, sizeof(header_ico6), &header_check_ico, file_stat); + register_header_check(0, header_ico7, sizeof(header_ico7), &header_check_ico, file_stat); + register_header_check(0, header_ico8, sizeof(header_ico8), &header_check_ico, file_stat); + register_header_check(0, header_ico9, sizeof(header_ico9), &header_check_ico, file_stat); +} |