summaryrefslogtreecommitdiffstats
path: root/src/file_tiff_be.c
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2017-09-28 21:23:38 +0200
committerChristophe Grenier <grenier@cgsecurity.org>2017-09-28 21:23:38 +0200
commitead22c45f1778db11bda68dabdaac689a6fb11f9 (patch)
treef8cc9c87c35824607b9d6898fd7681a83b297c42 /src/file_tiff_be.c
parentd013906b651689f6d5ad39a3a077fee9cafeb09e (diff)
PhotoRec: according to TIFF specification, directory entries must be sorted.
Diffstat (limited to 'src/file_tiff_be.c')
-rw-r--r--src/file_tiff_be.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/src/file_tiff_be.c b/src/file_tiff_be.c
index 7197901..38b58cf 100644
--- a/src/file_tiff_be.c
+++ b/src/file_tiff_be.c
@@ -276,6 +276,8 @@ uint64_t header_check_tiff_be(file_recovery_t *fr, const uint32_t tiff_diroff, c
uint64_t strip_bytecounts=0;
uint64_t tile_offsets=0;
uint64_t tile_bytecounts=0;
+ unsigned int tdir_tag_old=0;
+ unsigned int sorted_tag_error=0;
const TIFFDirEntry *entry=(const TIFFDirEntry *)&buffer[2];
const TIFFDirEntry *entry_strip_offsets=NULL;
const TIFFDirEntry *entry_strip_bytecounts=NULL;
@@ -306,19 +308,26 @@ uint64_t header_check_tiff_be(file_recovery_t *fr, const uint32_t tiff_diroff, c
return -1;
for(i=0;i<n;i++)
{
+ const unsigned int tdir_tag=be16(entry->tdir_tag);
const uint64_t val=(uint64_t)be32(entry->tdir_count) * tiff_type2size(be16(entry->tdir_type));
#ifdef DEBUG_TIFF
log_info("%u tag=%u(0x%x) %s type=%u count=%lu offset=%lu(0x%lx) val=%lu\n",
i,
- be16(entry->tdir_tag),
- be16(entry->tdir_tag),
- tag_name(be16(entry->tdir_tag)),
+ tdir_tag,
+ tdir_tag,
+ tag_name(tdir_tag),
be16(entry->tdir_type),
(long unsigned)be32(entry->tdir_count),
(long unsigned)be32(entry->tdir_offset),
(long unsigned)be32(entry->tdir_offset),
(long unsigned)val);
#endif
+ if(tdir_tag_old > tdir_tag)
+ { /* Entries must be sorted by tag */
+ sorted_tag_error++;
+ if(sorted_tag_error > 1)
+ return -1;
+ }
if(val>4)
{
const uint64_t new_offset=be32(entry->tdir_offset)+val;
@@ -330,7 +339,7 @@ uint64_t header_check_tiff_be(file_recovery_t *fr, const uint32_t tiff_diroff, c
if(be32(entry->tdir_count)==1 && val<=4)
{
const unsigned int tmp=tiff_be_read(&entry->tdir_offset, be16(entry->tdir_type));
- switch(be16(entry->tdir_tag))
+ switch(tdir_tag)
{
case TIFFTAG_ALPHABYTECOUNT: alphabytecount=tmp; break;
case TIFFTAG_ALPHAOFFSET: alphaoffset=tmp; break;
@@ -376,7 +385,7 @@ uint64_t header_check_tiff_be(file_recovery_t *fr, const uint32_t tiff_diroff, c
}
else if(be32(entry->tdir_count) > 1)
{
- switch(be16(entry->tdir_tag))
+ switch(tdir_tag)
{
case TIFFTAG_EXIFIFD:
case TIFFTAG_KODAKIFD:
@@ -424,6 +433,7 @@ uint64_t header_check_tiff_be(file_recovery_t *fr, const uint32_t tiff_diroff, c
break;
}
}
+ tdir_tag_old=tdir_tag;
entry++;
}
if(alphabytecount > 0 && max_offset < alphaoffset + alphabytecount)