From ecc15d0571d4be528d25c91852cd6a33186dd41d Mon Sep 17 00:00:00 2001
From: Christophe Grenier <grenier@cgsecurity.org>
Date: Sat, 26 Jul 2014 19:17:12 +0200
Subject: [PATCH] PhotoRec: stricter check for .png

---
 src/file_png.c | 49 +++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/src/file_png.c b/src/file_png.c
index 9aa7917e..84475802 100644
--- a/src/file_png.c
+++ b/src/file_png.c
@@ -64,8 +64,16 @@ struct png_chunk
 
 static int header_check_jng(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
 {
+  if( !((isupper(buffer[8+4]) || islower(buffer[8+4])) &&
+	(isupper(buffer[8+5]) || islower(buffer[8+5])) &&
+	(isupper(buffer[8+6]) || islower(buffer[8+6])) &&
+	(isupper(buffer[8+7]) || islower(buffer[8+7]))))
+    return 0;
   reset_file_recovery(file_recovery_new);
   file_recovery_new->extension="jng";
+  file_recovery_new->min_filesize=16;
+  if(file_recovery_new->blocksize < 8)
+    return 1;
   file_recovery_new->calculated_file_size=8;
   file_recovery_new->data_check=&data_check_png;
   file_recovery_new->file_check=&file_check_size;
@@ -74,8 +82,16 @@ static int header_check_jng(const unsigned char *buffer, const unsigned int buff
 
 static int header_check_mng(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new)
 {
+  if( !((isupper(buffer[8+4]) || islower(buffer[8+4])) &&
+	(isupper(buffer[8+5]) || islower(buffer[8+5])) &&
+	(isupper(buffer[8+6]) || islower(buffer[8+6])) &&
+	(isupper(buffer[8+7]) || islower(buffer[8+7]))))
+    return 0;
   reset_file_recovery(file_recovery_new);
   file_recovery_new->extension="mng";
+  file_recovery_new->min_filesize=16;
+  if(file_recovery_new->blocksize < 8)
+    return 1;
   file_recovery_new->calculated_file_size=8;
   file_recovery_new->data_check=&data_check_mng;
   file_recovery_new->file_check=&file_check_size;
@@ -90,8 +106,16 @@ static int header_check_png(const unsigned char *buffer, const unsigned int buff
       (strcmp(file_recovery->extension,"sld")==0 ||
        strcmp(file_recovery->extension,"sldprt")==0))
     return 0;
+  if( !((isupper(buffer[8+4]) || islower(buffer[8+4])) &&
+	(isupper(buffer[8+5]) || islower(buffer[8+5])) &&
+	(isupper(buffer[8+6]) || islower(buffer[8+6])) &&
+	(isupper(buffer[8+7]) || islower(buffer[8+7]))))
+    return 0;
   reset_file_recovery(file_recovery_new);
   file_recovery_new->extension=file_hint_png.extension;
+  file_recovery_new->min_filesize=16;
+  if(file_recovery_new->blocksize < 8)
+    return 1;
   file_recovery_new->calculated_file_size=8;
   file_recovery_new->data_check=&data_check_png;
   file_recovery_new->file_check=&file_check_size;
@@ -106,9 +130,19 @@ static data_check_t data_check_mng(const unsigned char *buffer, const unsigned i
   {
     const unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
     const struct png_chunk *chunk=(const struct png_chunk *)&buffer[i];
-    file_recovery->calculated_file_size+=12 + be32(chunk->length);
     if(memcmp(&buffer[i+4], mng_footer, sizeof(mng_footer))==0)
+    {
+      file_recovery->calculated_file_size+=12 + be32(chunk->length);
       return DC_STOP;
+    }
+    if( !((isupper(buffer[i+4]) || islower(buffer[i+4])) &&
+	  (isupper(buffer[i+5]) || islower(buffer[i+5])) &&
+	  (isupper(buffer[i+6]) || islower(buffer[i+6])) &&
+	  (isupper(buffer[i+7]) || islower(buffer[i+7]))))
+    {
+      return DC_ERROR;
+    }
+    file_recovery->calculated_file_size+=12 + be32(chunk->length);
   }
   return DC_CONTINUE;
 }
@@ -120,9 +154,11 @@ static data_check_t data_check_png(const unsigned char *buffer, const unsigned i
   {
     const unsigned int i=file_recovery->calculated_file_size - file_recovery->file_size + buffer_size/2;
     const struct png_chunk *chunk=(const struct png_chunk *)&buffer[i];
-    file_recovery->calculated_file_size+=12 + be32(chunk->length);
     if(memcmp(&buffer[i+4], "IEND", 4)==0)
+    {
+      file_recovery->calculated_file_size+=12 + be32(chunk->length);
       return DC_STOP;
+    }
 // PNG chunk code
 // IDAT IHDR PLTE bKGD cHRM fRAc gAMA gIFg gIFt gIFx hIST iCCP
 // iTXt oFFs pCAL pHYs sBIT sCAL sPLT sRGB sTER tEXt tRNS zTXt
@@ -131,8 +167,9 @@ static data_check_t data_check_png(const unsigned char *buffer, const unsigned i
 	  (isupper(buffer[i+6]) || islower(buffer[i+6])) &&
 	  (isupper(buffer[i+7]) || islower(buffer[i+7]))))
     {
-      return DC_STOP;
+      return DC_ERROR;
     }
+    file_recovery->calculated_file_size+=12 + be32(chunk->length);
   }
   return DC_CONTINUE;
 }
@@ -142,7 +179,7 @@ static void register_header_check_png(file_stat_t *file_stat)
   static const unsigned char png_header[8]= { 0x89, 'P', 'N','G', 0x0d, 0x0a, 0x1a, 0x0a};
   static const unsigned char mng_header[8]= { 0x8a, 'M', 'N','G', 0x0d, 0x0a, 0x1a, 0x0a};
   static const unsigned char jng_header[8]= { 0x8b, 'J', 'N','G', 0x0d, 0x0a, 0x1a, 0x0a};
-  register_header_check(0, png_header,sizeof(png_header), &header_check_png, file_stat);
-  register_header_check(0, mng_header,sizeof(mng_header), &header_check_mng, file_stat);
-  register_header_check(0, jng_header,sizeof(jng_header), &header_check_jng, file_stat);
+  register_header_check(0, png_header, sizeof(png_header), &header_check_png, file_stat);
+  register_header_check(0, mng_header, sizeof(mng_header), &header_check_mng, file_stat);
+  register_header_check(0, jng_header, sizeof(jng_header), &header_check_jng, file_stat);
 }