src/file_lnk.c: fix extra data block parsing, should get the correct lnk size.HEADmaster

Thanks to Eric Zimmerman for reporting the regression.

1 files changed, 13 insertions, 11 deletions

diff --git a/src/file_lnk.c b/src/file_lnk.c
index deb8c05a..e4985904 100644
--- a/src/file_lnk.c
+++ b/src/file_lnk.c
@@ -2,7 +2,7 @@
 
     File: file_lnk.c
 
-    Copyright (C) 2008 Christophe GRENIER <grenier@cgsecurity.org>
+    Copyright (C) 2008-2025 Christophe GRENIER <grenier@cgsecurity.org>
   
     This software is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -193,33 +193,35 @@ static unsigned int lnk_get_size(const unsigned char *buffer, const unsigned int
     i+=len;
   }
   /* avoid out of bound read access */
-  if(i >= buffer_size - 2)
+  if(i >= buffer_size - 4)
     return 0;
   /*@
-    @ loop invariant i < buffer_size-2;
+    @ loop invariant i < buffer_size-4;
     @ loop assigns i;
-    @ loop variant buffer_size-2 - i;
+    @ loop variant buffer_size-4 - i;
     @*/
   while(1)
   {
     /* avoid out of bound read access */
-    const uint16_t *ptr;
+    const uint32_t *ptr;
     unsigned int len;
-    ptr=(const uint16_t *)&buffer[i];
+    ptr=(const uint32_t *)&buffer[i];
     /*@ assert \valid_read(ptr); */
-    len=le16(*ptr);
+    len=le32(*ptr);
 #ifdef DEBUG_LNK
     log_debug("LNK 0x%04x - %u bytes\n", i, len);
 #endif
-    if(len == 0)
+    if(len < 4)
     {
 #ifdef DEBUG_LNK
       log_debug("LNK size %u (0x%04x)\n", i, i);
 #endif
-      return i;
+      return i+4;
     }
-    i+=2;
-    if(i >= buffer_size - 2)
+    if(len >= buffer_size - 4)
+      return 0;
+    i+=len;
+    if(i >= buffer_size - 4)
       return 0;
   }
 }