projects / reactos.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: de5cff4)
[NTFS]
authorTrevor Thompson <tmt256@email.vccs.edu>
Tue, 12 Jul 2016 09:57:16 +0000 (09:57 +0000)
committerThomas Faber <thomas.faber@reactos.org>
Sun, 10 Dec 2017 10:13:57 +0000 (11:13 +0100)
Add error-checking to InternalGetNextAttribute(); don't crash if CurrAttr->Length is invalid.

svn path=/branches/GSoC_2016/NTFS/; revision=71897

drivers/filesystems/ntfs/attrib.c patch | blob | history

diff --git a/drivers/filesystems/ntfs/attrib.c b/drivers/filesystems/ntfs/attrib.c
index 80022f5..fc2463f 100644 (file)
--- a/drivers/filesystems/ntfs/attrib.c
+++ b/drivers/filesystems/ntfs/attrib.c
@@ -181,6 +181,14 @@ InternalGetNextAttribute(PFIND_ATTR_CONTXT Context)
         }
 
         NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)Context->CurrAttr + Context->CurrAttr->Length);
         }
 
         NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)Context->CurrAttr + Context->CurrAttr->Length);
+
+        if (NextAttribute > Context->LastAttr || NextAttribute < Context->FirstAttr)
+        {
+            DPRINT1("Broken length: 0x%lx!\n", Context->CurrAttr->Length);
+            Context->CurrAttr = (PVOID)-1;
+            return NULL;
+        }
+        
         Context->Offset += ((ULONG_PTR)NextAttribute - (ULONG_PTR)Context->CurrAttr);
         Context->CurrAttr = NextAttribute;
 
         Context->Offset += ((ULONG_PTR)NextAttribute - (ULONG_PTR)Context->CurrAttr);
         Context->CurrAttr = NextAttribute;
 
A free Windows-compatible Operating System