[sleuthkit-developers] [ sleuthkit-Bugs-2786963 ] NTFS Compression Infinite loop
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-2786963 ] NTFS Compression Infinite loop
|
From: SourceForge.net <no...@so...> - 2009-05-05 00:31:49
|
Bugs item #2786963, was opened at 2009-05-04 19:31 Message generated for change (Tracker Item Submitted) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2786963&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Brian Carrier (carrier) Summary: NTFS Compression Infinite loop Initial Comment: >From Jamie Butler: When reading a NTFS compressed file on the filesystem, TSK calls ntfs_file_read_special in ntfs.c. This function uncompresses the data in the file starting at the offset requested and places up to a_len bytes into a_buf. The bug occurs on files whose size are not evenly divisible by 512. On the last read of the file, more bytes may be returned than were in the original file. The original code uses buf_idx to keep track of how many bytes have been read and that variable is incremented by cpylen each time through the loop. It looks like this: else if (comp.uncomp_idx - byteoffset < a_len - buf_idx) { cpylen = comp.uncomp_idx - byteoffset; } else { cpylen = a_len - buf_idx; } memcpy(&a_buf[buf_idx], &comp.uncomp_buf[byteoffset], cpylen); // reset this in case we need to also read from the next run byteoffset = 0; buf_idx += cpylen; comp_unit_idx = 0; However, at the end of the last read of a file, buf_idx plus the starting offset in the file may actually be greater than the size of the file. This can cause problems and depending on how the function is called, it can send programs into infinite read loops of the file. Instead, cpylen and hence buf_idx should never be greater than the size of the file when added to offset. The fix is: else if (comp.uncomp_idx - byteoffset < a_len - buf_idx) { cpylen = comp.uncomp_idx - byteoffset; } else { cpylen = a_len - buf_idx; } // Make sure not to return more bytes than are in the file if (cpylen > (a_fs_attr->fs_file->meta->size - (a_offset + buf_idx))) { cpylen = (a_fs_attr->fs_file->meta->size - (a_offset + buf_idx)); } memcpy(&a_buf[buf_idx], &comp.uncomp_buf[byteoffset], cpylen); // reset this in case we need to also read from the next run byteoffset = 0; buf_idx += cpylen; comp_unit_idx = 0; ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2786963&group_id=55685 |
