!36 [sync] PR-35: Fixed OOB reads in hfs_cat_traverse

From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek

0010-Fixed-HFS-BTree-key-OOB-read.patch

@@ -0,0 +1,24 @@
+From 0954034dc1ac757cfc125539c41cc2b42525b303 Mon Sep 17 00:00:00 2001
+From: Joachim Metz <joachim.metz@gmail.com>
+Date: Tue, 27 Apr 2021 06:22:02 +0200
+Subject: [PATCH] Fixed HFS BTree key OOB read
+
+---
+ tsk/fs/hfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
+index 2935fc50e3..d3b92aaad7 100644
+--- a/tsk/fs/hfs.c
++++ b/tsk/fs/hfs.c
+@@ -976,7 +976,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
+                 rec_off =
+                     tsk_getu16(fs->endian,
+                     &node[nodesize - (rec + 1) * 2]);
+-                if (rec_off >= nodesize) {
++
++                // Need at least 2 bytes for key_len
++                if (rec_off >= nodesize - 2) {
+                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
+                     tsk_error_set_errstr
+                         ("hfs_cat_traverse: offset of record %d in leaf node %d too large (%d vs %"

0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch

@@ -0,0 +1,43 @@
+From 47b9992636f2e155b09503497ee58d819993c40d Mon Sep 17 00:00:00 2001
+From: Joachim Metz <joachim.metz@gmail.com>
+Date: Sat, 1 May 2021 07:46:49 +0200
+Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse
+
+---
+ tsk/fs/hfs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
+index e3221152b7..01259cee2d 100644
+--- a/tsk/fs/hfs.c
++++ b/tsk/fs/hfs.c
+@@ -483,7 +483,7 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
+                 rec_off =
+                     tsk_getu16(fs->endian,
+                     &node[nodesize - (rec + 1) * 2]);
+-                if (rec_off + sizeof(hfs_btree_key_ext) > nodesize) {
++                if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
+                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
+                     tsk_error_set_errstr
+                         ("hfs_ext_find_extent_record_attr: offset of record %d in index node %d too large (%d vs %"
+@@ -578,7 +578,8 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
+                 rec_off =
+                     tsk_getu16(fs->endian,
+                     &node[nodesize - (rec + 1) * 2]);
+-                if (rec_off >= nodesize) {
++
++                if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
+                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
+                     tsk_error_set_errstr
+                         ("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
+@@ -855,7 +856,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
+                 rec_off =
+                     tsk_getu16(fs->endian,
+                     &node[nodesize - (rec + 1) * 2]);
+-                if (rec_off >= nodesize) {
++
++                // Need at least 2 bytes for key_len
++                if (rec_off >= nodesize - 2) {
+                     tsk_error_set_errno(TSK_ERR_FS_GENFS);
+                     tsk_error_set_errstr
+                         ("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"

sleuthkit.spec

@@ -1,20 +1,22 @@
 Name:           sleuthkit
 Version:        4.6.7
-Release:        9
+Release:        10
 Summary:        Tools for file system and volume forensic analysis
 License:        CPL and IBM and GPLv2+
 URL:            http://www.sleuthkit.org
 Source0:        https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-%{version}/sleuthkit-%{version}.tar.gz
 
-Patch1:         0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
-Patch2:         0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
-Patch3:         0003-Fix-bug-introduced-with-imap-offset-check.patch
-Patch4:         0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
-Patch5:         0005-Fix-Fuzz-buffer-overflow.patch
-Patch6:         0006-Add-attributes-file-nodesize-check.patch
-Patch7:         0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
-Patch8:         0008-left-shift.patch
-Patch9:         fix-memleak-in-ntfs.patch
+Patch0001:      0001-MEMORYLEAK-DOS-LOAD-EXT-TABLE.patch
+Patch0002:      0002-Ensure-that-we-don-t-attempt-to-index-into-an-invali.patch
+Patch0003:      0003-Fix-bug-introduced-with-imap-offset-check.patch
+Patch0004:      0004-Cast-attrseq-address-to-uintptr_t-so-that-the-correc.patch
+Patch0005:      0005-Fix-Fuzz-buffer-overflow.patch
+Patch0006:      0006-Add-attributes-file-nodesize-check.patch
+Patch0007:      0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
+Patch0008:      0008-left-shift.patch
+Patch0009:      0009-fix-memleak-in-ntfs.patch
+Patch0010:      0010-Fixed-HFS-BTree-key-OOB-read.patch
+Patch0011:      0011-Fixed-OOB-reads-in-hfs_cat_traverse.patch
 
 BuildRequires:  gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
 
@@ -89,6 +91,9 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %{_mandir}/man1/*
 
 %changelog
+* Thu Aug 26 2021 lingsheng <lingsheng@huawei.com> - 4.6.7-10
+- Fixed OOB reads in hfs_cat_traverse
+
 * Thu Aug 26 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.6.7-9
 - Fix memleak in ntfs