diff options
author | Christophe Grenier <grenier@cgsecurity.org> | 2008-06-10 12:54:11 +0200 |
---|---|---|
committer | Christophe Grenier <grenier@cgsecurity.org> | 2008-06-10 12:54:11 +0200 |
commit | 721e07c84ddd8dee684525b80e9ac7764eb9f137 (patch) | |
tree | 83f694c14e3359bfdfefb9a3f428e01271b3fa06 | |
parent | be35fb3259e89a5ad1831f2a746932d2a0d23662 (diff) |
PhotoRec: fix out of bound read access
-rw-r--r-- | src/file_ab.c | 5 | ||||
-rw-r--r-- | src/file_bld.c | 5 | ||||
-rw-r--r-- | src/file_crw.c | 2 | ||||
-rw-r--r-- | src/file_emf.c | 5 | ||||
-rw-r--r-- | src/file_evt.c | 5 | ||||
-rw-r--r-- | src/file_m2ts.c | 3 | ||||
-rw-r--r-- | src/file_mov.c | 5 | ||||
-rw-r--r-- | src/file_mp3.c | 6 | ||||
-rw-r--r-- | src/file_ogg.c | 5 |
9 files changed, 25 insertions, 16 deletions
diff --git a/src/file_ab.c b/src/file_ab.c index 489d118..00c8696 100644 --- a/src/file_ab.c +++ b/src/file_ab.c @@ -2,7 +2,7 @@ File: file_addressbook.c - Copyright (C) 2007 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 2007-2008 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -68,7 +68,8 @@ static int header_check_addressbook(const unsigned char *buffer, const unsigned static int data_check_addressbook(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) { unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; #ifdef DEBUG_AB diff --git a/src/file_bld.c b/src/file_bld.c index fdf42b8..ce3b8a8 100644 --- a/src/file_bld.c +++ b/src/file_bld.c @@ -2,7 +2,7 @@ File: file_bld.c - Copyright (C) 2006-2007 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 2006-2008 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -85,7 +85,8 @@ static int header_check_blend(const unsigned char *buffer, const unsigned int bu static int data_check_blend4le(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 0x14 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 0x14 < file_recovery->file_size + buffer_size/2) { unsigned int len; unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; diff --git a/src/file_crw.c b/src/file_crw.c index a05875c..c38735d 100644 --- a/src/file_crw.c +++ b/src/file_crw.c @@ -2,7 +2,7 @@ File: file_crw.c - Copyright (C) 1998-2005,2007 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 1998-2005,2007-2008 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/src/file_emf.c b/src/file_emf.c index 9eb365b..60c3175 100644 --- a/src/file_emf.c +++ b/src/file_emf.c @@ -180,11 +180,11 @@ static int header_check_emf(const unsigned char *buffer, const unsigned int buff memcmp(&buffer[0x28],emf_sign,sizeof(emf_sign))==0) { unsigned int atom_size; + atom_size=buffer[4]+(buffer[5]<<8)+(buffer[6]<<16)+(buffer[7]<<24); reset_file_recovery(file_recovery_new); file_recovery_new->extension=file_hint_emf.extension; file_recovery_new->data_check=data_check_emf; file_recovery_new->file_check=&file_check_size; - atom_size=buffer[4]+(buffer[5]<<8)+(buffer[6]<<16)+(buffer[7]<<24); file_recovery_new->calculated_file_size=atom_size; return 1; } @@ -193,7 +193,8 @@ static int header_check_emf(const unsigned char *buffer, const unsigned int buff static int data_check_emf(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) { unsigned int atom_size; unsigned int itype; diff --git a/src/file_evt.c b/src/file_evt.c index 9764fbe..9dbab1f 100644 --- a/src/file_evt.c +++ b/src/file_evt.c @@ -2,7 +2,7 @@ File: file_evt.c - Copyright (C) 2007 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 2007-2008 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -69,7 +69,8 @@ static int header_check_evt(const unsigned char *buffer, const unsigned int buff static int data_check_evt(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) { unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; if((buffer[i+4]=='L' && buffer[i+5]=='f' && buffer[i+6]=='L' && buffer[i+7]=='e') || diff --git a/src/file_m2ts.c b/src/file_m2ts.c index 37fa38e..085ad9f 100644 --- a/src/file_m2ts.c +++ b/src/file_m2ts.c @@ -101,7 +101,8 @@ static int header_check_m2t(const unsigned char *buffer, const unsigned int buff static int data_check_m2ts(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 5 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 5 < file_recovery->file_size + buffer_size/2) { unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; if(buffer[i+4]!=0x47) /* TS_SYNC_BYTE */ diff --git a/src/file_mov.c b/src/file_mov.c index 8a12773..e2d3439 100644 --- a/src/file_mov.c +++ b/src/file_mov.c @@ -2,7 +2,7 @@ File: file_mov.c - Copyright (C) 1998-2007 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 1998-2008 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -174,7 +174,8 @@ static int header_check_mov(const unsigned char *buffer, const unsigned int buff static int data_check_mov(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2) { unsigned int atom_size; unsigned int i; diff --git a/src/file_mp3.c b/src/file_mp3.c index 75b80d7..84fc7a5 100644 --- a/src/file_mp3.c +++ b/src/file_mp3.c @@ -235,7 +235,8 @@ static int header_check_mp3(const unsigned char *buffer, const unsigned int buff static int data_check_id3(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 1 < file_recovery->file_size + buffer_size/2) { unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; if(buffer[i]==0) @@ -254,7 +255,8 @@ static int data_check_id3(const unsigned char *buffer, const unsigned int buffer static int data_check_mp3(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 16 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 16 < file_recovery->file_size + buffer_size/2) { unsigned int MMT_size = 0; unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; diff --git a/src/file_ogg.c b/src/file_ogg.c index 675603b..40e62d0 100644 --- a/src/file_ogg.c +++ b/src/file_ogg.c @@ -2,7 +2,7 @@ File: file_ogg.c - Copyright (C) 1998-2005,2007 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 1998-2005,2007-2008 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -71,7 +71,8 @@ static int header_check_ogg(const unsigned char *buffer, const unsigned int buff /* http://www.ietf.org/rfc/rfc3533.txt */ static int data_check_ogg(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery) { - while(file_recovery->calculated_file_size + 27 + 255 < file_recovery->file_size + buffer_size/2) + while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size && + file_recovery->calculated_file_size + 27 +255 < file_recovery->file_size + buffer_size/2) { unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2; if(memcmp(&buffer[i],ogg_header,sizeof(ogg_header))==0) |