summaryrefslogtreecommitdiffstats
path: root/src/file_emf.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2008-06-10 12:54:11 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2008-06-10 12:54:11 +0200
commit721e07c84ddd8dee684525b80e9ac7764eb9f137 (patch)
tree83f694c14e3359bfdfefb9a3f428e01271b3fa06 /src/file_emf.c
parentbe35fb3259e89a5ad1831f2a746932d2a0d23662 (diff)
PhotoRec: fix out of bound read access
Diffstat (limited to 'src/file_emf.c')
-rw-r--r--src/file_emf.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/file_emf.c b/src/file_emf.c
index 9eb365b..60c3175 100644
--- a/src/file_emf.c
+++ b/src/file_emf.c
@@ -180,11 +180,11 @@ static int header_check_emf(const unsigned char *buffer, const unsigned int buff
memcmp(&buffer[0x28],emf_sign,sizeof(emf_sign))==0)
{
unsigned int atom_size;
+ atom_size=buffer[4]+(buffer[5]<<8)+(buffer[6]<<16)+(buffer[7]<<24);
reset_file_recovery(file_recovery_new);
file_recovery_new->extension=file_hint_emf.extension;
file_recovery_new->data_check=data_check_emf;
file_recovery_new->file_check=&file_check_size;
- atom_size=buffer[4]+(buffer[5]<<8)+(buffer[6]<<16)+(buffer[7]<<24);
file_recovery_new->calculated_file_size=atom_size;
return 1;
}
@@ -193,7 +193,8 @@ static int header_check_emf(const unsigned char *buffer, const unsigned int buff
static int data_check_emf(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
{
- while(file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
+ while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size &&
+ file_recovery->calculated_file_size + 8 < file_recovery->file_size + buffer_size/2)
{
unsigned int atom_size;
unsigned int itype;