https://git.reactos.org/?p=reactos.git;a=commitdiff;h=7c576a836f635bc1a07fc7f310690a0424051382
commit 7c576a836f635bc1a07fc7f310690a0424051382 Author: Trevor Thompson <[email protected]> AuthorDate: Tue Jul 12 09:57:16 2016 +0000 [NTFS] Add error-checking to InternalGetNextAttribute(); don't crash if CurrAttr->Length is invalid. svn path=/branches/GSoC_2016/NTFS/; revision=71897 --- drivers/filesystems/ntfs/attrib.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/filesystems/ntfs/attrib.c b/drivers/filesystems/ntfs/attrib.c index 80022f5957..fc2463fee5 100644 --- a/drivers/filesystems/ntfs/attrib.c +++ b/drivers/filesystems/ntfs/attrib.c @@ -181,6 +181,14 @@ InternalGetNextAttribute(PFIND_ATTR_CONTXT Context) } NextAttribute = (PNTFS_ATTR_RECORD)((ULONG_PTR)Context->CurrAttr + Context->CurrAttr->Length); + + if (NextAttribute > Context->LastAttr || NextAttribute < Context->FirstAttr) + { + DPRINT1("Broken length: 0x%lx!\n", Context->CurrAttr->Length); + Context->CurrAttr = (PVOID)-1; + return NULL; + } + Context->Offset += ((ULONG_PTR)NextAttribute - (ULONG_PTR)Context->CurrAttr); Context->CurrAttr = NextAttribute;
