EricZimmerman
ArgumentOutOfRangeException when parsing LNK files with corrupted VolumeLabelOffset
The library throws ArgumentOutOfRangeException when parsing LNK files with corrupted VolumeLabelOffset values in the VolumeInfo structure, preventing the file from being parsed.
- Steps to Reproduce
- Parse an LNK file with a corrupted
VolumeLabelOffsetvalue (e.g., > 0xFF) - Exception is thrown in
VolumeInfoconstructor at line 44
-
Stack Trace System.ArgumentOutOfRangeException: Non-negative number required. (Parameter 'count') at System.Text.EncodingNLS.GetString(Byte[] bytes, Int32 index, Int32 count) at Lnk.VolumeInfo..ctor(Byte[] rawBytes, Int32 codepage) in VolumeInfo.cs:line 44 at Lnk.LnkFile..ctor(Byte[] rawBytes, String sourceFile, Int32 codepage) in LnkFile.cs:line 270
-
Root Cause When
VolumeLabelOffsetcontains an invalid value (e.g., 0xFFFFFFFF), the code attempts to read beyond the byte array bounds:
VolumeLabel = CodePagesEncodingProvider.Instance.GetEncoding(codepage)
?.GetString(rawBytes, VolumeLabelOffset, rawBytes.Length - VolumeLabelOffset)
- Solution Validate VolumeLabelOffset before use. Values exceeding 0xFF should be sanitized to prevent out-of-bounds access:
.....
VolumeLabelOffset = VolumeLabelOffset > 0xff ? 0 : VolumeLabelOffset;
.....
- WARNING: The attached LNK file contains malicious content and should NOT be executed. It is provided solely for testing and analysis purposes. Handle with appropriate security precautions. Zip Password: infected
66c3a8eb1a2a5a9bd93e257c0fadd4922b46f6bfc224ae38de374f0bcf193855.zip
