summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2025-06-24 22:28:25 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2025-06-24 22:28:25 +0200
commit74fa7468af03a7534c569f97f5b141abde40e521 (patch)
tree26bf6807a296d45b73e6afb0d3e8011948fbd5cc /src
parent2a935826055d0aed784f11d212b6dabb7445c418 (diff)
src/file_lnk.c: fix extra data block parsing, should get the correct lnk size.HEADmaster
Thanks to Eric Zimmerman for reporting the regression.
Diffstat (limited to 'src')
-rw-r--r--src/file_lnk.c24
1 files changed, 13 insertions, 11 deletions
diff --git a/src/file_lnk.c b/src/file_lnk.c
index deb8c05a..e4985904 100644
--- a/src/file_lnk.c
+++ b/src/file_lnk.c
@@ -2,7 +2,7 @@
File: file_lnk.c
- Copyright (C) 2008 Christophe GRENIER <grenier@cgsecurity.org>
+ Copyright (C) 2008-2025 Christophe GRENIER <grenier@cgsecurity.org>
This software is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -193,33 +193,35 @@ static unsigned int lnk_get_size(const unsigned char *buffer, const unsigned int
i+=len;
}
/* avoid out of bound read access */
- if(i >= buffer_size - 2)
+ if(i >= buffer_size - 4)
return 0;
/*@
- @ loop invariant i < buffer_size-2;
+ @ loop invariant i < buffer_size-4;
@ loop assigns i;
- @ loop variant buffer_size-2 - i;
+ @ loop variant buffer_size-4 - i;
@*/
while(1)
{
/* avoid out of bound read access */
- const uint16_t *ptr;
+ const uint32_t *ptr;
unsigned int len;
- ptr=(const uint16_t *)&buffer[i];
+ ptr=(const uint32_t *)&buffer[i];
/*@ assert \valid_read(ptr); */
- len=le16(*ptr);
+ len=le32(*ptr);
#ifdef DEBUG_LNK
log_debug("LNK 0x%04x - %u bytes\n", i, len);
#endif
- if(len == 0)
+ if(len < 4)
{
#ifdef DEBUG_LNK
log_debug("LNK size %u (0x%04x)\n", i, i);
#endif
- return i;
+ return i+4;
}
- i+=2;
- if(i >= buffer_size - 2)
+ if(len >= buffer_size - 4)
+ return 0;
+ i+=len;
+ if(i >= buffer_size - 4)
return 0;
}
}