summaryrefslogtreecommitdiffstats
path: root/src/file_pst.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2014-07-26 22:33:38 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2014-07-26 22:33:38 +0200
commitdfbfaa1211784287c4efac494629b163f07967dc (patch)
tree1d2a96a29c4cf3185f6ed6bdfed900ff3a097ba2 /src/file_pst.c
parente31b51b52770bd3023aeda68f715b9a84c9d3ed2 (diff)
PhotoRec: stricter check for .pst files
Diffstat (limited to 'src/file_pst.c')
-rw-r--r--src/file_pst.c122
1 files changed, 64 insertions, 58 deletions
diff --git a/src/file_pst.c b/src/file_pst.c
index bec6ed1..beead2b 100644
--- a/src/file_pst.c
+++ b/src/file_pst.c
@@ -44,22 +44,27 @@ const file_hint_t file_hint_pst= {
.register_header_check=&register_header_check_pst
};
-static const unsigned char pst_header[4]= { '!','B','D','N'};
-static const unsigned char dbx_header[4]= { 0xCF, 0xAD, 0x12, 0xFE };
-static const unsigned char wab_header[16] = { 0x9c, 0xcb, 0xcb, 0x8d, 0x13, 0x75, 0xd2, 0x11,
- 0x91, 0x58, 0x00, 0xc0, 0x4f, 0x79, 0x56, 0xa4 };
-
-static void register_header_check_pst(file_stat_t *file_stat)
-{
- register_header_check(0, pst_header,sizeof(pst_header), &header_check_pst, file_stat);
- register_header_check(0, dbx_header,sizeof(dbx_header), &header_check_pst, file_stat);
- register_header_check(0, wab_header,sizeof(wab_header), &header_check_pst, file_stat);
-}
-
#define INDEX_TYPE_OFFSET 0x0A
#define FILE_SIZE_POINTER 0xA8
#define FILE_SIZE_POINTER_64 0xB8
#define DBX_SIZE_POINTER 0x7C
+
+static int header_check_dbx(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+ const uint64_t size=(uint64_t)buffer[DBX_SIZE_POINTER] +
+ (((uint64_t)buffer[DBX_SIZE_POINTER+1])<<8) +
+ (((uint64_t)buffer[DBX_SIZE_POINTER+2])<<16) +
+ (((uint64_t)buffer[DBX_SIZE_POINTER+3])<<24);
+ if(size < DBX_SIZE_POINTER + 4)
+ return 0;
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension="dbx";
+ file_recovery_new->calculated_file_size=size;
+ file_recovery_new->data_check=&data_check_size;
+ file_recovery_new->file_check=&file_check_size;
+ return 1;
+}
+
/*
Outlook 2000
0x0000 uchar signature[4];
@@ -85,59 +90,60 @@ static void register_header_check_pst(file_stat_t *file_stat)
http://www.five-ten-sg.com/libpst/
*/
+static int header_check_wab(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
+{
+ reset_file_recovery(file_recovery_new);
+ file_recovery_new->extension="wab"; /* Adresse Book */
+ return 1;
+}
+
static int header_check_pst(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
{
- if(memcmp(buffer,wab_header,sizeof(wab_header))==0)
+ if(buffer[INDEX_TYPE_OFFSET]==0x0e ||
+ buffer[INDEX_TYPE_OFFSET]==0x0f)
{
+ const uint64_t size=(uint64_t)buffer[FILE_SIZE_POINTER] +
+ (((uint64_t)buffer[FILE_SIZE_POINTER+1])<<8) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER+2])<<16) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER+3])<<24);
+ if(size < 0x1cd)
+ return 0;
+ /* Outlook 2000 and older versions */
reset_file_recovery(file_recovery_new);
- file_recovery_new->extension="wab"; /* Adresse Book */
+ file_recovery_new->extension=file_hint_pst.extension;
+ file_recovery_new->calculated_file_size=size;
+ file_recovery_new->data_check=&data_check_size;
+ file_recovery_new->file_check=&file_check_size;
return 1;
}
- if(memcmp(buffer,dbx_header,sizeof(dbx_header))==0)
- {
+ else
+ // if(buffer[INDEX_TYPE_OFFSET]==0x15 || buffer[INDEX_TYPE_OFFSET]==0x17)
+ { /* Outlook 2003 */
+ const uint64_t size=(uint64_t)buffer[FILE_SIZE_POINTER_64] +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+1])<<8) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+2])<<16) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+3])<<24) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+4])<<32) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+5])<<40) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+6])<<48) +
+ (((uint64_t)buffer[FILE_SIZE_POINTER_64+7])<<56);
+ if(size < 0x201)
+ return 0;
reset_file_recovery(file_recovery_new);
- file_recovery_new->extension="dbx";
- file_recovery_new->calculated_file_size=(uint64_t)buffer[DBX_SIZE_POINTER] +
- (((uint64_t)buffer[DBX_SIZE_POINTER+1])<<8) +
- (((uint64_t)buffer[DBX_SIZE_POINTER+2])<<16) +
- (((uint64_t)buffer[DBX_SIZE_POINTER+3])<<24);
- file_recovery_new->data_check=&data_check_size;
- file_recovery_new->file_check=&file_check_size;
+ file_recovery_new->extension=file_hint_pst.extension;
+ file_recovery_new->calculated_file_size=size;
+ file_recovery_new->data_check=&data_check_size;
+ file_recovery_new->file_check=&file_check_size;
return 1;
}
- if(memcmp(buffer,pst_header,sizeof(pst_header))==0)
- {
- if(buffer[INDEX_TYPE_OFFSET]==0x0e ||
- buffer[INDEX_TYPE_OFFSET]==0x0f)
- {
- /* Outlook 2000 and older versions */
- reset_file_recovery(file_recovery_new);
- file_recovery_new->extension=file_hint_pst.extension;
- file_recovery_new->calculated_file_size=(uint64_t)buffer[FILE_SIZE_POINTER] +
- (((uint64_t)buffer[FILE_SIZE_POINTER+1])<<8) +
- (((uint64_t)buffer[FILE_SIZE_POINTER+2])<<16) +
- (((uint64_t)buffer[FILE_SIZE_POINTER+3])<<24);
- file_recovery_new->data_check=&data_check_size;
- file_recovery_new->file_check=&file_check_size;
- return 1;
- }
- else
-// if(buffer[INDEX_TYPE_OFFSET]==0x15 || buffer[INDEX_TYPE_OFFSET]==0x17)
- { /* Outlook 2003 */
- reset_file_recovery(file_recovery_new);
- file_recovery_new->extension=file_hint_pst.extension;
- file_recovery_new->calculated_file_size=(uint64_t)buffer[FILE_SIZE_POINTER_64] +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+1])<<8) +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+2])<<16) +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+3])<<24) +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+4])<<32) +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+5])<<40) +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+6])<<48) +
- (((uint64_t)buffer[FILE_SIZE_POINTER_64+7])<<56);
- file_recovery_new->data_check=&data_check_size;
- file_recovery_new->file_check=&file_check_size;
- return 1;
- }
- }
- return 0;
+}
+
+static void register_header_check_pst(file_stat_t *file_stat)
+{
+ static const unsigned char dbx_header[4]= { 0xCF, 0xAD, 0x12, 0xFE };
+ static const unsigned char wab_header[16] = { 0x9c, 0xcb, 0xcb, 0x8d, 0x13, 0x75, 0xd2, 0x11,
+ 0x91, 0x58, 0x00, 0xc0, 0x4f, 0x79, 0x56, 0xa4 };
+ register_header_check(0, "!BDN", 4, &header_check_pst, file_stat);
+ register_header_check(0, dbx_header,sizeof(dbx_header), &header_check_dbx, file_stat);
+ register_header_check(0, wab_header,sizeof(wab_header), &header_check_wab, file_stat);
}