diff options
| author | Richard W.M. Jones <rjones@redhat.com> | 2011-04-13 14:01:03 +0100 |
|---|---|---|
| committer | Richard W.M. Jones <rjones@redhat.com> | 2011-04-13 14:04:49 +0100 |
| commit | 53056244696385299fe0d298bd25053dd7c07dc0 (patch) | |
| tree | 0de1b8c326869a5157468e6463d76072f6ba8015 | |
| parent | 75ea457771cec140fa3376bcc299948096c07acd (diff) | |
| download | hivex-53056244696385299fe0d298bd25053dd7c07dc0.tar.gz hivex-53056244696385299fe0d298bd25053dd7c07dc0.tar.xz hivex-53056244696385299fe0d298bd25053dd7c07dc0.zip | |
hivex_value_multiple_strings: Don't read uninitialized data.
If hivex_value_multiple_strings was given a value which had an odd
length or if the data in the value was unterminated,
hivex_value_multiple_strings could read uninitialized data.
Potentially (although very unlikely) this could cause a
non-exploitable segfault in the calling program.
| -rw-r--r-- | lib/hivex.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/hivex.c b/lib/hivex.c index 71ea5c3..d2ab23d 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -1421,7 +1421,8 @@ hivex_value_multiple_strings (hive_h *h, hive_value_h value) char *p = data; size_t plen; - while (p < data + len && (plen = utf16_string_len_in_bytes (p)) > 0) { + while (p < data + len && + (plen = utf16_string_len_in_bytes_max (p, data + len - p)) > 0) { nr_strings++; char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *)); if (ret2 == NULL) { |