summaryrefslogtreecommitdiffstats
path: root/src/file_mp3.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2008-06-10 12:54:11 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2008-06-10 12:54:11 +0200
commit721e07c84ddd8dee684525b80e9ac7764eb9f137 (patch)
tree83f694c14e3359bfdfefb9a3f428e01271b3fa06 /src/file_mp3.c
parentbe35fb3259e89a5ad1831f2a746932d2a0d23662 (diff)
PhotoRec: fix out of bound read access
Diffstat (limited to 'src/file_mp3.c')
-rw-r--r--src/file_mp3.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/file_mp3.c b/src/file_mp3.c
index 75b80d7..84fc7a5 100644
--- a/src/file_mp3.c
+++ b/src/file_mp3.c
@@ -235,7 +235,8 @@ static int header_check_mp3(const unsigned char *buffer, const unsigned int buff
static int data_check_id3(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
{
- while(file_recovery->calculated_file_size < file_recovery->file_size + buffer_size/2)
+ while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size &&
+ file_recovery->calculated_file_size + 1 < file_recovery->file_size + buffer_size/2)
{
unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
if(buffer[i]==0)
@@ -254,7 +255,8 @@ static int data_check_id3(const unsigned char *buffer, const unsigned int buffer
static int data_check_mp3(const unsigned char *buffer, const unsigned int buffer_size, file_recovery_t *file_recovery)
{
- while(file_recovery->calculated_file_size + 16 < file_recovery->file_size + buffer_size/2)
+ while(file_recovery->calculated_file_size + buffer_size/2 >= file_recovery->file_size &&
+ file_recovery->calculated_file_size + 16 < file_recovery->file_size + buffer_size/2)
{
unsigned int MMT_size = 0;
unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;