44 lines
2.0 KiB
Diff
44 lines
2.0 KiB
Diff
From 47b9992636f2e155b09503497ee58d819993c40d Mon Sep 17 00:00:00 2001
|
|
From: Joachim Metz <joachim.metz@gmail.com>
|
|
Date: Sat, 1 May 2021 07:46:49 +0200
|
|
Subject: [PATCH] Fixed OOB reads in hfs_cat_traverse
|
|
|
|
---
|
|
tsk/fs/hfs.c | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/tsk/fs/hfs.c b/tsk/fs/hfs.c
|
|
index e3221152b7..01259cee2d 100644
|
|
--- a/tsk/fs/hfs.c
|
|
+++ b/tsk/fs/hfs.c
|
|
@@ -483,7 +483,7 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
|
|
rec_off =
|
|
tsk_getu16(fs->endian,
|
|
&node[nodesize - (rec + 1) * 2]);
|
|
- if (rec_off + sizeof(hfs_btree_key_ext) > nodesize) {
|
|
+ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
|
|
tsk_error_set_errno(TSK_ERR_FS_GENFS);
|
|
tsk_error_set_errstr
|
|
("hfs_ext_find_extent_record_attr: offset of record %d in index node %d too large (%d vs %"
|
|
@@ -578,7 +578,8 @@ hfs_ext_find_extent_record_attr(HFS_INFO * hfs, uint32_t cnid,
|
|
rec_off =
|
|
tsk_getu16(fs->endian,
|
|
&node[nodesize - (rec + 1) * 2]);
|
|
- if (rec_off >= nodesize) {
|
|
+
|
|
+ if (rec_off >= nodesize - sizeof(hfs_btree_key_ext)) {
|
|
tsk_error_set_errno(TSK_ERR_FS_GENFS);
|
|
tsk_error_set_errstr
|
|
("hfs_ext_find_extent_record_attr: offset of record %d in leaf node %d too large (%d vs %"
|
|
@@ -855,7 +856,9 @@ hfs_cat_traverse(HFS_INFO * hfs,
|
|
rec_off =
|
|
tsk_getu16(fs->endian,
|
|
&node[nodesize - (rec + 1) * 2]);
|
|
- if (rec_off >= nodesize) {
|
|
+
|
|
+ // Need at least 2 bytes for key_len
|
|
+ if (rec_off >= nodesize - 2) {
|
|
tsk_error_set_errno(TSK_ERR_FS_GENFS);
|
|
tsk_error_set_errstr
|
|
("hfs_cat_traverse: offset of record %d in index node %d too large (%d vs %"
|