diff options
author | Christophe Grenier <grenier@cgsecurity.org> | 2025-06-24 22:28:25 +0200 |
---|---|---|
committer | Christophe Grenier <grenier@cgsecurity.org> | 2025-06-24 22:28:25 +0200 |
commit | 74fa7468af03a7534c569f97f5b141abde40e521 (patch) | |
tree | 26bf6807a296d45b73e6afb0d3e8011948fbd5cc /src | |
parent | 2a935826055d0aed784f11d212b6dabb7445c418 (diff) |
Thanks to Eric Zimmerman for reporting the regression.
Diffstat (limited to 'src')
-rw-r--r-- | src/file_lnk.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/src/file_lnk.c b/src/file_lnk.c index deb8c05a..e4985904 100644 --- a/src/file_lnk.c +++ b/src/file_lnk.c @@ -2,7 +2,7 @@ File: file_lnk.c - Copyright (C) 2008 Christophe GRENIER <grenier@cgsecurity.org> + Copyright (C) 2008-2025 Christophe GRENIER <grenier@cgsecurity.org> This software is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -193,33 +193,35 @@ static unsigned int lnk_get_size(const unsigned char *buffer, const unsigned int i+=len; } /* avoid out of bound read access */ - if(i >= buffer_size - 2) + if(i >= buffer_size - 4) return 0; /*@ - @ loop invariant i < buffer_size-2; + @ loop invariant i < buffer_size-4; @ loop assigns i; - @ loop variant buffer_size-2 - i; + @ loop variant buffer_size-4 - i; @*/ while(1) { /* avoid out of bound read access */ - const uint16_t *ptr; + const uint32_t *ptr; unsigned int len; - ptr=(const uint16_t *)&buffer[i]; + ptr=(const uint32_t *)&buffer[i]; /*@ assert \valid_read(ptr); */ - len=le16(*ptr); + len=le32(*ptr); #ifdef DEBUG_LNK log_debug("LNK 0x%04x - %u bytes\n", i, len); #endif - if(len == 0) + if(len < 4) { #ifdef DEBUG_LNK log_debug("LNK size %u (0x%04x)\n", i, i); #endif - return i; + return i+4; } - i+=2; - if(i >= buffer_size - 2) + if(len >= buffer_size - 4) + return 0; + i+=len; + if(i >= buffer_size - 4) return 0; } } |