[ros-diffs] [pschweitzer] 68233: [CDFS] Add a few sanity checks to our handling of ISO 9660 / Joliet: - Null name entries are forbidden - Degenerated entries (mistmaching sizes) reveal broken layout In both ca...

Sun, 21 Jun 2015 09:49:36 -0700 

Author: pschweitzer
Date: Sun Jun 21 16:47:23 2015
New Revision: 68233

URL: http://svn.reactos.org/svn/reactos?rev=68233&view=rev
Log:
[CDFS]
Add a few sanity checks to our handling of ISO 9660 / Joliet:
- Null name entries are forbidden
- Degenerated entries (mistmaching sizes) reveal broken layout

In both cases, the lookup for a file is aborted and the CD considered as 
corrupted by the FSD.
explorer displays empty CDs then.

CORE-9254 #resolve #comment Fixed with r68233

Modified:
    trunk/reactos/drivers/filesystems/cdfs/dirctl.c
    trunk/reactos/drivers/filesystems/cdfs/fcb.c

Modified: trunk/reactos/drivers/filesystems/cdfs/dirctl.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/filesystems/cdfs/dirctl.c?rev=68233&r1=68232&r2=68233&view=diff
==============================================================================
--- trunk/reactos/drivers/filesystems/cdfs/dirctl.c     [iso-8859-1] (original)
+++ trunk/reactos/drivers/filesystems/cdfs/dirctl.c     [iso-8859-1] Sun Jun 21 
16:47:23 2015
@@ -290,9 +290,26 @@
             return Status;
         }
 
+        if (Record->RecordLength < Record->FileIdLength + 
FIELD_OFFSET(DIR_RECORD, FileId))
+        {
+            DPRINT1("Found corrupted entry! %u - %u\n", Record->RecordLength, 
Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId));
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
         DPRINT("Name '%S'\n", name);
 
         RtlInitUnicodeString(&LongName, name);
+        /* Was the entry degenerated? */
+        if (LongName.Length < sizeof(WCHAR))
+        {
+            DPRINT1("Found entry with invalid name!\n");
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
         ShortName.Length = 0;
         ShortName.MaximumLength = 26;
         ShortName.Buffer = ShortNameBuffer;

Modified: trunk/reactos/drivers/filesystems/cdfs/fcb.c
URL: 
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/filesystems/cdfs/fcb.c?rev=68233&r1=68232&r2=68233&view=diff
==============================================================================
--- trunk/reactos/drivers/filesystems/cdfs/fcb.c        [iso-8859-1] (original)
+++ trunk/reactos/drivers/filesystems/cdfs/fcb.c        [iso-8859-1] Sun Jun 21 
16:47:23 2015
@@ -558,12 +558,29 @@
         DPRINT("RecordLength %u  ExtAttrRecordLength %u  NameLength %u\n",
             Record->RecordLength, Record->ExtAttrRecordLength, 
Record->FileIdLength);
 
+        if (Record->RecordLength < Record->FileIdLength + 
FIELD_OFFSET(DIR_RECORD, FileId))
+        {
+            DPRINT1("Found corrupted entry! %u - %u\n", Record->RecordLength, 
Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId));
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
         CdfsGetDirEntryName(DeviceExt, Record, Name);
         DPRINT ("Name '%S'\n", Name);
         DPRINT ("Sector %lu\n", DirectoryFcb->Entry.ExtentLocationL);
         DPRINT ("Offset %lu\n", Offset);
 
         RtlInitUnicodeString(&LongName, Name);
+        /* Was the entry degenerated? */
+        if (LongName.Length < sizeof(WCHAR))
+        {
+            DPRINT1("Found entry with invalid name!\n");
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
         RtlInitEmptyUnicodeString(&ShortName, ShortNameBuffer, 
sizeof(ShortNameBuffer));
         RtlZeroMemory(ShortNameBuffer, sizeof(ShortNameBuffer));

Reply via email to