diff --git a/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch b/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch new file mode 100644 index 0000000..ac5dbf6 --- /dev/null +++ b/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch @@ -0,0 +1,35 @@ +From 357f26fa64fd1d9ccac2331fe174a8ee9c607adb Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 30 Oct 2014 13:50:39 +0000 +Subject: [PATCH 1/2] handle: Refuse to open files < 8192 bytes in size. + +These cannot be valid hives, since they don't contain a full header +page and at least a single page of data (in other words they couldn't +contain a root node). + +Thanks: Mahmoud Al-Qudsi +--- + lib/handle.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/handle.c b/lib/handle.c +index 62a8644..a3cbcf7 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -104,6 +104,13 @@ hivex_open (const char *filename, int flags) + + h->size = statbuf.st_size; + ++ if (h->size < 0x2000) { ++ SET_ERRNO (EINVAL, ++ "%s: file is too small to be a Windows NT Registry hive file", ++ filename); ++ goto error; ++ } ++ + if (!h->writable) { + h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0); + if (h->addr == MAP_FAILED) +-- +2.1.0 + diff --git a/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch b/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch new file mode 100644 index 0000000..7977e16 --- /dev/null +++ b/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch @@ -0,0 +1,32 @@ +From 4bbdf555f88baeae0fa804a369a81a83908bd705 Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Thu, 30 Oct 2014 14:02:25 +0000 +Subject: [PATCH 2/2] handle: Check that pages do not extend beyond the end of + the file. + +Thanks: Mahmoud Al-Qudsi +--- + lib/handle.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/handle.c b/lib/handle.c +index a3cbcf7..3a8f09b 100644 +--- a/lib/handle.c ++++ b/lib/handle.c +@@ -247,6 +247,13 @@ hivex_open (const char *filename, int flags) + goto error; + } + ++ if (off + page_size > h->size) { ++ SET_ERRNO (ENOTSUP, ++ "%s: page size %zu at 0x%zx extends beyond end of file, bad registry", ++ filename, page_size, off); ++ goto error; ++ } ++ + /* Read the blocks in this page. */ + size_t blkoff; + struct ntreg_hbin_block *block; +-- +2.1.0 + diff --git a/hivex.spec b/hivex.spec index 8f3742a..bcaf672 100644 --- a/hivex.spec +++ b/hivex.spec @@ -1,6 +1,6 @@ Name: hivex Version: 1.3.5 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Read and write Windows Registry binary hive files Group: Development/Libraries @@ -33,6 +33,10 @@ Patch0003: 0003-RHEL-5-build-Define-builddir-abs_srcdir-if-they-don-.patch Patch4: %{name}-1.2.3-dirs.patch BuildRequires: autoconf, automake, libtool +# Fix handling of invalid hive files. +Patch5: 0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch +Patch6: 0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch + %description Hive files are the undocumented binary blobs that Windows uses to @@ -114,6 +118,8 @@ python-%{name} contains Python bindings for %{name}. %patch0002 -p1 %patch0003 -p1 %patch4 -p1 -b .dirs +%patch5 -p1 +%patch6 -p1 autoreconf @@ -199,6 +205,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Nov 25 2014 Richard W.M. Jones - 1:1.3.5-6 +- Fix handling of invalid hive files. + * Fri Mar 30 2012 Richard W.M. Jones - 1:1.3.5-5 - Copy Fedora Rawhide to EPEL 5 (RHBZ#808193). - Disable OCaml, Ruby bindings, since these can't be built on RHEL 5.