PhotoRec: fix out of bound read access

author: Christophe Grenier <grenier@cgsecurity.org> 2008-06-10 12:54:11 +0200
committer: Christophe Grenier <grenier@cgsecurity.org> 2008-06-10 12:54:11 +0200
commit: 721e07c84ddd8dee684525b80e9ac7764eb9f137 (patch)
tree: 83f694c14e3359bfdfefb9a3f428e01271b3fa06
parent: be35fb3259e89a5ad1831f2a746932d2a0d23662 (diff)
9 files changed, 25 insertions, 16 deletions
diff --git a/src/file_ab.c b/src/file_ab.c
index 489d118..00c8696 100644
--- a/src/file_ab.c
+++ b/src/file_ab.c
@@ -2,7 +2,7 @@
 
     File: file_addressbook.c
 
-    Copyright (C) 2007 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 2007-2008 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -68,7 +68,8 @@ static int header_check_addressbook(const unsigned char *buffer, const unsigned
 
 static int data_check_addressbook(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
 #ifdef DEBUG_AB
diff --git a/src/file_bld.c b/src/file_bld.c
index fdf42b8..ce3b8a8 100644
--- a/src/file_bld.c
+++ b/src/file_bld.c
@@ -2,7 +2,7 @@
 
     File: file_bld.c
 
-    Copyright (C) 2006-2007 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 2006-2008 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -85,7 +85,8 @@ static int header_check_blend(const unsigned char *buffer, const unsigned int bu
 
 static int data_check_blend4le(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 0x14 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 0x14 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int len;
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
diff --git a/src/file_crw.c b/src/file_crw.c
index a05875c..c38735d 100644
--- a/src/file_crw.c
+++ b/src/file_crw.c
@@ -2,7 +2,7 @@
 
     File: file_crw.c
 
-    Copyright (C) 1998-2005,2007 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 1998-2005,2007-2008 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
diff --git a/src/file_emf.c b/src/file_emf.c
index 9eb365b..60c3175 100644
--- a/src/file_emf.c
+++ b/src/file_emf.c
@@ -180,11 +180,11 @@ static int header_check_emf(const unsigned char *buffer, const unsigned int buff
       memcmp(&buffer[0x28],emf_sign,sizeof(emf_sign))==0)
   {
     unsigned int atom_size;
+    atom_size=buffer[4]+(buffer[5]<<8)+(buffer[6]<<16)+(buffer[7]<<24);
     reset_file_recovery(file_recovery_new);
     file_recovery_new->extension=file_hint_emf.extension;
     file_recovery_new->data_check=data_check_emf;
     file_recovery_new->file_check=&file_check_size;
-    atom_size=buffer[4]+(buffer[5]<<8)+(buffer[6]<<16)+(buffer[7]<<24);
     file_recovery_new->calculated_file_size=atom_size;
     return 1;
   }
@@ -193,7 +193,8 @@ static int header_check_emf(const unsigned char *buffer, const unsigned int buff
 
 static int data_check_emf(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int atom_size;
     unsigned int itype;
diff --git a/src/file_evt.c b/src/file_evt.c
index 9764fbe..9dbab1f 100644
--- a/src/file_evt.c
+++ b/src/file_evt.c
@@ -2,7 +2,7 @@
 
     File: file_evt.c
 
-    Copyright (C) 2007 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 2007-2008 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -69,7 +69,8 @@ static int header_check_evt(const unsigned char *buffer, const unsigned int buff
 
 static int data_check_evt(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
     if((buffer[i+4]=='L' && buffer[i+5]=='f' && buffer[i+6]=='L' && buffer[i+7]=='e') ||
diff --git a/src/file_m2ts.c b/src/file_m2ts.c
index 37fa38e..085ad9f 100644
--- a/src/file_m2ts.c
+++ b/src/file_m2ts.c
@@ -101,7 +101,8 @@ static int header_check_m2t(const unsigned char *buffer, const unsigned int buff
 
 static int data_check_m2ts(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 5 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 5 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
     if(buffer[i+4]!=0x47)	/* TS_SYNC_BYTE */
diff --git a/src/file_mov.c b/src/file_mov.c
index 8a12773..e2d3439 100644
--- a/src/file_mov.c
+++ b/src/file_mov.c
@@ -2,7 +2,7 @@
 
     File: file_mov.c
 
-    Copyright (C) 1998-2007 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 1998-2008 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -174,7 +174,8 @@ static int header_check_mov(const unsigned char *buffer, const unsigned int buff
 
 static int data_check_mov(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int atom_size;
     unsigned int i;
diff --git a/src/file_mp3.c b/src/file_mp3.c
index 75b80d7..84fc7a5 100644
--- a/src/file_mp3.c
+++ b/src/file_mp3.c
@@ -235,7 +235,8 @@ static int header_check_mp3(const unsigned char *buffer, const unsigned int buff
 
 static int data_check_id3(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 1 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
     if(buffer[i]==0)
@@ -254,7 +255,8 @@ static int data_check_id3(const unsigned char *buffer, const unsigned int buffer
 
 static int data_check_mp3(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 16 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 16 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int MMT_size = 0;
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
diff --git a/src/file_ogg.c b/src/file_ogg.c
index 675603b..40e62d0 100644
--- a/src/file_ogg.c
+++ b/src/file_ogg.c
@@ -2,7 +2,7 @@
 
     File: file_ogg.c
 
-    Copyright (C) 1998-2005,2007 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 1998-2005,2007-2008 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -71,7 +71,8 @@ static int header_check_ogg(const unsigned char *buffer, const unsigned int buff
 /* http://www.ietf.org/rfc/rfc3533.txt */
 static int data_check_ogg(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
 {
-  while(file_recovery->calculated_file_size + 27 + 255 < file_recovery->file_size + buffer_size/2)
+  while(file_recovery->calculated_file_size + buffer_size/2  >= file_recovery->file_size &&
+      file_recovery->calculated_file_size + 27 +255 < file_recovery->file_size + buffer_size/2)
   {
     unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
     if(memcmp(&buffer[i],ogg_header,sizeof(ogg_header))==0)
author	Christophe Grenier <grenier@cgsecurity.org>	2008-06-10 12:54:11 +0200
committer	Christophe Grenier <grenier@cgsecurity.org>	2008-06-10 12:54:11 +0200
commit	721e07c84ddd8dee684525b80e9ac7764eb9f137 (patch)
tree	83f694c14e3359bfdfefb9a3f428e01271b3fa06
parent	be35fb3259e89a5ad1831f2a746932d2a0d23662 (diff)