[Libguestfs] [PATCH hivex 16/19] lib: get_children: Add a check that we don't overrun ri-record when reading.

[Richard W.M. Jones]

From: "Richard W.M. Jones" <rjones at redhat.com>

---
 lib/node.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/node.c b/lib/node.c
index 02da483..9127251 100644
--- a/lib/node.c
+++ b/lib/node.c
@@ -300,6 +300,8 @@ _get_children (hive_h *h, hive_node_h blkoff,
   struct ntreg_hbin_block *block =
     (struct ntreg_hbin_block *) ((char *) h->addr + blkoff);
 
+  size_t len = block_len (h, blkoff, NULL);
+
   /* Points to lf-record?  (Note, also "lh" but that is basically the
    * same as "lf" as far as we are concerned here).
    */
@@ -311,7 +313,6 @@ _get_children (hive_h *h, hive_node_h blkoff,
      */
     size_t nr_subkeys_in_lf = le16toh (lf->nr_keys);
 
-    size_t len = block_len (h, blkoff, NULL);
     if (8 + nr_subkeys_in_lf * 8 > len) {
       SET_ERRNO (EFAULT, "too many subkeys (%zu, %zu)", nr_subkeys_in_lf, len);
       return -1;
@@ -333,6 +334,11 @@ _get_children (hive_h *h, hive_node_h blkoff,
 
     size_t nr_offsets = le16toh (ri->nr_offsets);
 
+    if (8 + nr_offsets * 4 > len) {
+      SET_ERRNO (EFAULT, "too many offsets (%zu, %zu)", nr_offsets, len);
+      return -1;
+    }
+
     /* Copy list of children. */
     size_t i;
     for (i = 0; i < nr_offsets; ++i) {
-- 
1.8.3.1