From c44d4effea1ef0ee28fb6b0631081815465349a7 Mon Sep 17 00:00:00 2001 From: kgermanov Date: Tue, 31 Oct 2017 18:12:05 +0300 Subject: [PATCH] [fix] Cannot open volume, operating string out of bounds --- libvshadow/libvshadow_store_descriptor.c | 88 +++++++++++++++++++++--- libvshadow/libvshadow_store_descriptor.h | 8 +++ libvshadow/vshadow_store.h | 5 -- 3 files changed, 87 insertions(+), 14 deletions(-) diff --git a/libvshadow/libvshadow_store_descriptor.c b/libvshadow/libvshadow_store_descriptor.c index 93aa4e2..2620e30 100644 --- a/libvshadow/libvshadow_store_descriptor.c +++ b/libvshadow/libvshadow_store_descriptor.c @@ -268,6 +268,11 @@ int libvshadow_store_descriptor_free( result = -1; } #endif + if( ( *store_descriptor )->copy_identifier_string != NULL ) + { + memory_free( + ( *store_descriptor )->copy_identifier_string ); + } if( ( *store_descriptor )->operating_machine_string != NULL ) { memory_free( @@ -1044,18 +1049,82 @@ int libvshadow_store_descriptor_read_store_header( store_descriptor->attribute_flags ); libcnotify_printf( "\n" ); - - byte_stream_copy_to_uint32_little_endian( - ( (vshadow_store_information_t *) store_header_data )->unknown10, - value_32bit ); - libcnotify_printf( - "%s: unknown10\t\t: 0x%08" PRIx32 "\n", - function, - value_32bit ); } #endif store_header_data_offset = sizeof( vshadow_store_information_t ); + /* read string copy identificator */ + byte_stream_copy_to_uint16_little_endian( + &( store_header_data[ store_header_data_offset ] ), + store_descriptor->copy_identifier_string_size ); + + store_descriptor->copy_identifier_string_size += 2; /* with terminated char */ + + store_header_data_offset += 2; + if( ( store_header_data_offset + store_descriptor->copy_identifier_string_size ) > store_block->data_size ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_RUNTIME, + LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, + "%s: copy identificator string size value out of bounds.", + function ); + + goto on_error; + } + store_descriptor->copy_identifier_string = (uint8_t *) memory_allocate( + sizeof( uint8_t ) * store_descriptor->copy_identifier_string_size ); + + if( store_descriptor->copy_identifier_string == NULL ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_MEMORY, + LIBCERROR_MEMORY_ERROR_INSUFFICIENT, + "%s: unable to create copy identificator string.", + function ); + + goto on_error; + } + if( memory_copy( + store_descriptor->copy_identifier_string, + &( store_header_data[ store_header_data_offset ] ), + (size_t) store_descriptor->copy_identifier_string_size ) == NULL ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_MEMORY, + LIBCERROR_MEMORY_ERROR_COPY_FAILED, + "%s: unable to copy identificator string.", + function ); + + goto on_error; + } + store_header_data_offset += store_descriptor->copy_identifier_string_size; + +#if defined( HAVE_DEBUG_OUTPUT ) + if( libcnotify_verbose != 0 ) + { + if( libvshadow_debug_print_utf16_string_value( + function, + "copy identificator string\t", + store_descriptor->copy_identifier_string, + (size_t) store_descriptor->copy_identifier_string_size, + LIBUNA_ENDIAN_LITTLE, + error ) != 1 ) + { + libcerror_error_set( + error, + LIBCERROR_ERROR_DOMAIN_RUNTIME, + LIBCERROR_RUNTIME_ERROR_PRINT_FAILED, + "%s: unable to print UTF-16 string value.", + function ); + + goto on_error; + } + } +#endif + /* read operating_machine_string */ byte_stream_copy_to_uint16_little_endian( &( store_header_data[ store_header_data_offset ] ), store_descriptor->operating_machine_string_size ); @@ -1125,6 +1194,7 @@ int libvshadow_store_descriptor_read_store_header( } } #endif + /* read service_machine_string */ byte_stream_copy_to_uint16_little_endian( &( store_header_data[ store_header_data_offset ] ), store_descriptor->service_machine_string_size ); @@ -1137,7 +1207,7 @@ int libvshadow_store_descriptor_read_store_header( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, - "%s: operating machine string size value out of bounds.", + "%s: service machine string size value out of bounds.", function ); goto on_error; diff --git a/libvshadow/libvshadow_store_descriptor.h b/libvshadow/libvshadow_store_descriptor.h index 0a484c3..e13d786 100644 --- a/libvshadow/libvshadow_store_descriptor.h +++ b/libvshadow/libvshadow_store_descriptor.h @@ -86,6 +86,14 @@ struct libvshadow_store_descriptor */ uint32_t attribute_flags; + /* The copy identifier string + */ + uint8_t *copy_identifier_string; + + /* The copy identifier string size + */ + uint16_t copy_identifier_string_size; + /* The operating machine string */ uint8_t *operating_machine_string; diff --git a/libvshadow/vshadow_store.h b/libvshadow/vshadow_store.h index 1b7cd37..142f65d 100644 --- a/libvshadow/vshadow_store.h +++ b/libvshadow/vshadow_store.h @@ -108,11 +108,6 @@ struct vshadow_store_information * Consists of 4 bytes */ uint8_t attribute_flags[ 4 ]; - - /* Unknown - * Consists of 4 bytes - */ - uint8_t unknown10[ 4 ]; }; typedef struct vshadow_store_block_header vshadow_store_block_header_t;