diff --git a/src/file_asf.c b/src/file_asf.c index 8f96d2aa..a9a76503 100644 --- a/src/file_asf.c +++ b/src/file_asf.c @@ -66,24 +66,29 @@ struct asf_stream_prop_s { unsigned char stream_type[16]; } __attribute__ ((gcc_struct, __packed__)); +static const char *extension_wma="wma"; +static const char *extension_wmv="wmv"; + static int header_check_asf(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new) { const struct asf_header_obj_s *hdr=(const struct asf_header_obj_s*)buffer; - unsigned int i; - const struct asf_file_prop_s *prop=(const struct asf_file_prop_s*)(hdr+1); + const char *extension=file_hint_asf.extension; + const unsigned int nbr_header_obj=le32(hdr->nbr_header_obj); uint64_t size=0; time_t time=0; - const char *extension=file_hint_asf.extension; + unsigned int i; + uint64_t offset_prop=sizeof(struct asf_header_obj_s); /* Header + File Properties + Stream Properties + Header Extension */ if(le64(hdr->object_size)<30 || le64(hdr->object_size)>buffer_size || - le32(hdr->nbr_header_obj)<4) + nbr_header_obj<4) return 0; for(i=0; - i<le32(hdr->nbr_header_obj) && - (const unsigned char *)prop+0x28 < buffer + buffer_size; - i++, prop=(const struct asf_file_prop_s *)((const char *)prop + le64(prop->object_size))) + i < nbr_header_obj && offset_prop + 0x28 < buffer_size; + i++) { + const struct asf_file_prop_s *prop=(const struct asf_file_prop_s*)&buffer[offset_prop]; + const uint64_t object_size=le64(prop->object_size); // ASF_File_Properties_Object // 8CABDCA1-A947-11CF-8EE4-00C00C205365 // ASF_Stream_Properties_Object // B7DC0791-A9B7-11CF-8EE6-00C00C205365 static const unsigned char asf_file_prop_id[16]= { @@ -94,18 +99,20 @@ static int header_check_asf(const unsigned char *buffer, const unsigned int buff 0x91, 0x07, 0xdc, 0xb7, 0xb7, 0xa9, 0xcf, 0x11, 0x8e, 0xe6, 0x00, 0xc0, 0x0c, 0x20, 0x53, 0x65 }; - if(le64(prop->object_size) < 0x18) + if(object_size < 0x18) { - log_info("header_check_asf object_size too small %llu\n", (long long unsigned)le64(prop->object_size)); + log_info("header_check_asf object_size too small %llu\n", (long long unsigned)object_size); return 0; } + if(object_size > 0x8000000000000000) + return 0; if(memcmp(prop->object_id, asf_file_prop_id, sizeof(asf_file_prop_id))==0) { - if(le64(prop->object_size) < 0x28) - return 0; - if(le64(prop->file_size) < sizeof(struct asf_header_obj_s) + sizeof(struct asf_file_prop_s)) + if(object_size < 0x28) return 0; size=le64(prop->file_size); + if(size < sizeof(struct asf_header_obj_s) + sizeof(struct asf_file_prop_s)) + return 0; time=td_ntfs2utc(le64(prop->file_date)); } else if(memcmp(prop->object_id, asf_stream_prop_s, sizeof(asf_stream_prop_s))==0) @@ -117,25 +124,27 @@ static int header_check_asf(const unsigned char *buffer, const unsigned int buff const char wmv[16]={ 0xc0, 0xef, 0x19, 0xbc, 0x4d, 0x5b, 0xcf, 0x11, 0xa8, 0xfd, 0x00, 0x80, 0x5f, 0x5c, 0x44, 0x2b }; - if(le64(prop->object_size) < 0x28) + if(object_size < 0x28) return 0; if(memcmp(stream->stream_type, wma, sizeof(wma))==0) - extension="wma"; + extension=extension_wma; else if(memcmp(stream->stream_type, wmv, sizeof(wmv))==0) - extension="wmv"; + extension=extension_wmv; } - if(le64(prop->object_size) > buffer_size) - break; + offset_prop+=object_size; } + if(size > 0 && size < offset_prop) + return 0; reset_file_recovery(file_recovery_new); file_recovery_new->extension=extension; + file_recovery_new->min_filesize=offset_prop; + file_recovery_new->time=time; if(size > 0) { - file_recovery_new->calculated_file_size=le64(size); + file_recovery_new->calculated_file_size=size; file_recovery_new->data_check=&data_check_size; file_recovery_new->file_check=&file_check_size; } - file_recovery_new->time=time; return 1; }