diff options
| author | Richard W.M. Jones <rjones@redhat.com> | 2011-04-13 13:55:49 +0100 |
|---|---|---|
| committer | Richard W.M. Jones <rjones@redhat.com> | 2011-04-13 13:55:49 +0100 |
| commit | c22ed5a6cb58aff70bf74df5b7c1edd33d796ef4 (patch) | |
| tree | 564f2b4c58e39d9550e6b1ee82f306dd6f5216e9 | |
| parent | 3e941d7ef4163b8882b1296adfd837c507a81075 (diff) | |
| download | hivex-c22ed5a6cb58aff70bf74df5b7c1edd33d796ef4.tar.gz hivex-c22ed5a6cb58aff70bf74df5b7c1edd33d796ef4.tar.xz hivex-c22ed5a6cb58aff70bf74df5b7c1edd33d796ef4.zip | |
Return real length of buffer from hivex_value_value.
In real registries, often the length declared in the header does not
match the length of the block. In this case hivex_value_value would
only allocate a value with a size which is the shorter of the two
length values, which is correct and safe.
However user code could do:
buf = hivex_value_value (h, v, &t, &len);
memcpy (somewhere, buf, len);
which would copy uninitialized data.
If hivex_value_value truncates a value like this, we also need to
return the shorter length to the user as well.
| -rw-r--r-- | lib/hivex.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/hivex.c b/lib/hivex.c index 3f4c629..b1f6ea6 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -1245,6 +1245,10 @@ hivex_value_value (hive_h *h, hive_value_h value, fprintf (stderr, "hivex_value_value: warning: declared data length is longer than the block it is in (data 0x%zx, data len %zu, block len %zu)\n", data_offset, len, blen); len = blen - 4; + + /* Return the smaller length to the caller too. */ + if (len_rtn) + *len_rtn = len; } char *data = h->addr + data_offset + 4; |