From 497b80da24e2c610e00a8a7ef5d4a5fd07bba835 Mon Sep 17 00:00:00 2001 From: Christophe Grenier Date: Sat, 26 Jul 2014 22:52:54 +0200 Subject: [PATCH] PhotoRec: stricter check for .woff --- src/file_woff.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/src/file_woff.c b/src/file_woff.c index b3fa2a35..b267eb69 100644 --- a/src/file_woff.c +++ b/src/file_woff.c @@ -63,18 +63,23 @@ struct WOFFHeader static int header_check_woff(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new) { const struct WOFFHeader *woff=(const struct WOFFHeader *)buffer; - if(woff->reserved==0 && - be32(woff->metaOffset) + be32(woff->metaLength)< be32(woff->length) && - be32(woff->privOffset) + be32(woff->privLength)< be32(woff->length)) - { - reset_file_recovery(file_recovery_new); - file_recovery_new->extension=file_hint_woff.extension; - file_recovery_new->calculated_file_size=(uint64_t)be32(woff->length); - file_recovery_new->data_check=&data_check_size; - file_recovery_new->file_check=&file_check_size; - return 1; - } - return 0; + if(be32(woff->length) < sizeof(struct WOFFHeader)) + return 0; + if(be32(woff->metaOffset) > 0 && be32(woff->metaOffset) < sizeof(struct WOFFHeader)) + return 0; + if(be32(woff->privOffset) > 0 && be32(woff->privOffset) < sizeof(struct WOFFHeader)) + return 0; + if(be32(woff->metaOffset) + be32(woff->metaLength)> be32(woff->length) || + be32(woff->privOffset) + be32(woff->privLength)> be32(woff->length)) + return 0; + if(woff->reserved!=0) + return 0; + reset_file_recovery(file_recovery_new); + file_recovery_new->extension=file_hint_woff.extension; + file_recovery_new->calculated_file_size=(uint64_t)be32(woff->length); + file_recovery_new->data_check=&data_check_size; + file_recovery_new->file_check=&file_check_size; + return 1; } static void register_header_check_woff(file_stat_t *file_stat)