changeset 341:c638905665bc

Daniel Gryniewicz found buffer overrun in LIST_COPY_TIME
author Carl Byington <carl@five-ten-sg.com>
date Fri, 27 Dec 2013 08:42:41 -0800 (2013-12-27)
parents 0f3185217313
children 5d0dc4db45b3
files src/libpst.c
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/libpst.c	Fri Dec 27 08:27:47 2013 -0800
+++ b/src/libpst.c	Fri Dec 27 08:42:41 2013 -0800
@@ -2064,13 +2064,14 @@
 
 // malloc space and copy the item filetime
 #define LIST_COPY_TIME(label, targ) {                                       \
-    if (list->elements[x]->type != 0x40) {                                  \
-        DEBUG_WARN(("src not 0x40 for filetime dst\n"));                    \
+    if ((list->elements[x]->type != 0x40) ||                                \
+        (list->elements[x]->size != sizeof(FILETIME)) {                     \
+        DEBUG_WARN(("src not 0x40 or wrong length for filetime dst\n"));    \
         DEBUG_HEXDUMP(list->elements[x]->data, list->elements[x]->size);    \
     }                                                                       \
     else {                                                                  \
         targ = (FILETIME*) pst_realloc(targ, sizeof(FILETIME));             \
-        memcpy(targ, list->elements[x]->data, min(sizeof(FILETIME), list->elements[x]->size)); \
+        memcpy(targ, list->elements[x]->data, sizeof(FILETIME));            \
         LE32_CPU(targ->dwLowDateTime);                                      \
         LE32_CPU(targ->dwHighDateTime);                                     \
         DEBUG_INFO((label" - %s", pst_fileTimeToAscii(targ, time_buffer))); \