Buffer size not checked before use in some header_check_x callbacks

Open gcembed opened this issue 8 years ago • 0 comments

For example, in file_prd.c, specific values are tested at fixed offset but buffer_size is not used to test if offset 0x17 is reachable.

static int header_check_prd(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new) { if( buffer[0x0d]!=0xdb || buffer[0x0e]!=0xe4 || buffer[0x0f]!=0x40 || buffer[0x15]!=0xdb || buffer[0x16]!=0xe4 || buffer[0x17]!=0x40) return 0; reset_file_recovery(file_recovery_new); file_recovery_new->extension=file_hint_prd.extension; return 1; }

Dec 24 '17 13:12 gcembed