[ros-diffs] [pschweitzer] 68233: [CDFS] Add a few sanity checks to our handling of ISO 9660 / Joliet: - Null name entries are forbidden - Degenerated entries (mistmaching sizes) reveal broken layout In both ca...

Author: pschweitzer Date: Sun Jun 21 16:47:23 2015 New Revision: 68233 URL: http://svn.reactos.org/svn/reactos?rev=68233&view=rev Log: [CDFS] Add a few sanity checks to our handling of ISO 9660 / Joliet: - Null name entries are forbidden - Degenerated entries (mistmaching sizes) reveal broken layout In both cases, the lookup for a file is aborted and the CD considered as corrupted by the FSD. explorer displays empty CDs then. CORE-9254 #resolve #comment Fixed with r68233 Modified: trunk/reactos/drivers/filesystems/cdfs/dirctl.c trunk/reactos/drivers/filesystems/cdfs/fcb.c Modified: trunk/reactos/drivers/filesystems/cdfs/dirctl.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/filesystems/cdfs/d… ============================================================================== --- trunk/reactos/drivers/filesystems/cdfs/dirctl.c [iso-8859-1] (original) +++ trunk/reactos/drivers/filesystems/cdfs/dirctl.c [iso-8859-1] Sun Jun 21 16:47:23 2015 @@ -290,9 +290,26 @@ return Status; } + if (Record->RecordLength < Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId)) + { + DPRINT1("Found corrupted entry! %u - %u\n", Record->RecordLength, Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId)); + RtlFreeUnicodeString(&FileToFindUpcase); + CcUnpinData(Context); + return STATUS_DISK_CORRUPT_ERROR; + } + DPRINT("Name '%S'\n", name); RtlInitUnicodeString(&LongName, name); + /* Was the entry degenerated? */ + if (LongName.Length < sizeof(WCHAR)) + { + DPRINT1("Found entry with invalid name!\n"); + RtlFreeUnicodeString(&FileToFindUpcase); + CcUnpinData(Context); + return STATUS_DISK_CORRUPT_ERROR; + } + ShortName.Length = 0; ShortName.MaximumLength = 26; ShortName.Buffer = ShortNameBuffer; Modified: trunk/reactos/drivers/filesystems/cdfs/fcb.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/filesystems/cdfs/f… ============================================================================== --- trunk/reactos/drivers/filesystems/cdfs/fcb.c [iso-8859-1] (original) +++ trunk/reactos/drivers/filesystems/cdfs/fcb.c [iso-8859-1] Sun Jun 21 16:47:23 2015 @@ -558,12 +558,29 @@ DPRINT("RecordLength %u ExtAttrRecordLength %u NameLength %u\n", Record->RecordLength, Record->ExtAttrRecordLength, Record->FileIdLength); + if (Record->RecordLength < Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId)) + { + DPRINT1("Found corrupted entry! %u - %u\n", Record->RecordLength, Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId)); + RtlFreeUnicodeString(&FileToFindUpcase); + CcUnpinData(Context); + return STATUS_DISK_CORRUPT_ERROR; + } + CdfsGetDirEntryName(DeviceExt, Record, Name); DPRINT ("Name '%S'\n", Name); DPRINT ("Sector %lu\n", DirectoryFcb->Entry.ExtentLocationL); DPRINT ("Offset %lu\n", Offset); RtlInitUnicodeString(&LongName, Name); + /* Was the entry degenerated? */ + if (LongName.Length < sizeof(WCHAR)) + { + DPRINT1("Found entry with invalid name!\n"); + RtlFreeUnicodeString(&FileToFindUpcase); + CcUnpinData(Context); + return STATUS_DISK_CORRUPT_ERROR; + } + RtlInitEmptyUnicodeString(&ShortName, ShortNameBuffer, sizeof(ShortNameBuffer)); RtlZeroMemory(ShortNameBuffer, sizeof(ShortNameBuffer));