Changeset 131 for trunk/lib


Ignore:
Timestamp:
01/11/09 15:14:20 (16 years ago)
Author:
tim
Message:

fixed an hbin length validation related to vk records
added hbin length validation for class names and data cells

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/regfi.c

    r129 r131  
    796796   
    797797    vk_offset =  voffsets[i] + REGF_BLOCKSIZE;
    798     vk_max_length = hbin->block_size - vk_offset + sizeof(uint32);
     798    vk_max_length = hbin->block_size + hbin->file_off - vk_offset;
    799799    ret_val[i] = regfi_parse_vk(file, vk_offset, vk_max_length, strict);
    800800    if(ret_val[i] == NULL)
     
    16041604{
    16051605  uint8 nk_header[REGFI_NK_MIN_LENGTH];
     1606  REGF_HBIN *hbin;
    16061607  REGF_NK_REC* ret_val;
    1607   uint32 length;
    1608   uint32 cell_length;
     1608  uint32 length,cell_length;
     1609  uint32 class_offset, class_maxsize;
    16091610  bool unalloc = false;
    16101611
     
    17221723  if(ret_val->classname_off != REGF_OFFSET_NONE)
    17231724  {
    1724     ret_val->classname
    1725       = regfi_parse_classname(file, ret_val->classname_off+REGF_BLOCKSIZE,
    1726                               &ret_val->classname_length, strict);
     1725    hbin = regfi_lookup_hbin(file, ret_val->classname_off);
     1726    if(hbin)
     1727    {
     1728      class_offset = ret_val->classname_off+REGF_BLOCKSIZE;
     1729      class_maxsize = hbin->block_size + hbin->file_off - class_offset;
     1730      ret_val->classname
     1731        = regfi_parse_classname(file, class_offset, &ret_val->classname_length,
     1732                                class_maxsize, strict);
     1733    }
     1734    else
     1735      ret_val->classname = NULL;
    17271736    /*
    17281737    if(strict && ret_val->classname == NULL)
     
    17351744
    17361745
    1737 /*******************************************************************/
    1738 /* XXX: Not currently validating against hbin length.              */
    1739 /*******************************************************************/
    17401746char* regfi_parse_classname(REGF_FILE* file, uint32 offset,
    1741                             uint16* name_length, bool strict)
     1747                            uint16* name_length, uint32 max_size, bool strict)
    17421748{
    17431749  char* ret_val = NULL;
     
    17481754  if(*name_length > 0 && offset != REGF_OFFSET_NONE
    17491755     && offset == (offset & 0xFFFFFFF8))
    1750   {   
     1756  {
    17511757    if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
    17521758        return NULL;
    17531759
    1754     if(cell_length < *name_length)
     1760    if((cell_length & 0xFFFFFFF8) != cell_length)
     1761      return NULL;
     1762   
     1763    if(cell_length > max_size)
    17551764    {
    17561765      if(strict)
    17571766        return NULL;
    1758       *name_length = cell_length & 0xFFFFFFF8;
     1767      cell_length = max_size;
     1768    }
     1769
     1770    if((cell_length - 4) < *name_length)
     1771    {
     1772      if(strict)
     1773        return NULL;
     1774      *name_length = cell_length - 4;
    17591775    }
    17601776   
     
    17841800{
    17851801  REGF_VK_REC* ret_val;
     1802  REGF_HBIN *hbin;
    17861803  uint8 vk_header[REGFI_VK_MIN_LENGTH];
    17871804  uint32 raw_data_size, length, cell_length;
     1805  uint32 data_offset, data_maxsize;
    17881806  bool unalloc = false;
    17891807
     
    18781896  else
    18791897  {
    1880     ret_val->data = regfi_parse_data(file, ret_val->data_off+REGF_BLOCKSIZE,
    1881                                      raw_data_size, strict);
     1898    hbin = regfi_lookup_hbin(file, ret_val->data_off);
     1899    if(hbin)
     1900    {
     1901      data_offset = ret_val->data_off+REGF_BLOCKSIZE;
     1902      data_maxsize = hbin->block_size + hbin->file_off - data_offset;
     1903      ret_val->data = regfi_parse_data(file, data_offset, raw_data_size,
     1904                                       data_maxsize, strict);
     1905    }
     1906    else
     1907      ret_val->data = NULL;
     1908
    18821909    if(strict && (ret_val->data == NULL))
    18831910    {
     
    18921919
    18931920
    1894 uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, uint32 length, bool strict)
     1921uint8* regfi_parse_data(REGF_FILE* file, uint32 offset, uint32 length,
     1922                        uint32 max_size, bool strict)
    18951923{
    18961924  uint8* ret_val;
     
    19211949    if((cell_length & 0xFFFFFFF8) != cell_length)
    19221950      return NULL;
     1951
     1952    if(cell_length > max_size)
     1953    {
     1954      if(strict)
     1955        return NULL;
     1956      else
     1957        cell_length = max_size;
     1958    }
    19231959
    19241960    if(cell_length - 4 < length)
     
    19331969        length = cell_length - 4;
    19341970    }
    1935 
    1936     /* XXX: There is currently no check to ensure the data
    1937      *      cell doesn't cross HBIN boundary.
    1938      */
    19391971
    19401972    if((ret_val = (uint8*)zalloc(sizeof(uint8)*length)) == NULL)
Note: See TracChangeset for help on using the changeset viewer.