Mercurial > libpst
view src/lzfu.c @ 42:7a97f50c39c5 stable-0-5-12 **FUNKY**
security fix for potential buffer overrun in lz decompress
author | carl |
---|---|
date | Tue, 02 Oct 2007 16:10:36 -0700 |
parents | 183ae993b9ad |
children | f6db1f060a95 |
line wrap: on
line source
/* This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ #include "define.h" #include "libpst.h" #include <sys/types.h> #include <string.h> #include <stdio.h> #include "lzfu.h" #define LZFU_COMPRESSED 0x75465a4c #define LZFU_UNCOMPRESSED 0x414c454d // initital dictionary #define LZFU_INITDICT "{\\rtf1\\ansi\\mac\\deff0\\deftab720{\\fonttbl;}" \ "{\\f0\\fnil \\froman \\fswiss \\fmodern \\fscrip" \ "t \\fdecor MS Sans SerifSymbolArialTimes Ne" \ "w RomanCourier{\\colortbl\\red0\\green0\\blue0" \ "\r\n\\par \\pard\\plain\\f0\\fs20\\b\\i\\u\\tab" \ "\\tx" // initial length of dictionary #define LZFU_INITLENGTH 207 // header for compressed rtf typedef struct _lzfuheader { u_int32_t cbSize; u_int32_t cbRawSize; u_int32_t dwMagic; u_int32_t dwCRC; } lzfuheader; unsigned char* lzfu_decompress (unsigned char* rtfcomp, u_int32_t compsize, size_t *size) { // the dictionary buffer unsigned char dict[4096]; // the dictionary pointer unsigned int dict_length=0; // the header of the lzfu block lzfuheader lzfuhdr; // container for the data blocks unsigned char flags; // temp value for determining the bits in the flag unsigned char flag_mask; u_int32_t i; unsigned char *out_buf; u_int32_t out_ptr = 0; u_int32_t out_size; u_int32_t in_ptr; u_int32_t in_size; memcpy(dict, LZFU_INITDICT, LZFU_INITLENGTH); dict_length = LZFU_INITLENGTH; memcpy(&lzfuhdr, rtfcomp, sizeof(lzfuhdr)); LE32_CPU(lzfuhdr.cbSize); LE32_CPU(lzfuhdr.cbRawSize); LE32_CPU(lzfuhdr.dwMagic); LE32_CPU(lzfuhdr.dwCRC); //printf("total size: %d\n", lzfuhdr.cbSize+4); //printf("raw size : %d\n", lzfuhdr.cbRawSize); //printf("compressed: %s\n", (lzfuhdr.dwMagic == LZFU_COMPRESSED ? "yes" : "no")); //printf("CRC : %#x\n", lzfuhdr.dwCRC); //printf("\n"); out_size = lzfuhdr.cbRawSize + 3; // two braces and a null terminator out_buf = (unsigned char*)xmalloc(out_size); in_ptr = sizeof(lzfuhdr); in_size = (lzfuhdr.cbSize < compsize) ? lzfuhdr.cbSize : compsize; while (in_ptr < in_size) { flags = rtfcomp[in_ptr++]; flag_mask = 1; while (flag_mask) { if (flag_mask & flags) { // two bytes available? if (in_ptr+1 < in_size) { // read 2 bytes from input unsigned short int blkhdr, offset, length; memcpy(&blkhdr, rtfcomp+in_ptr, 2); LE16_CPU(blkhdr); in_ptr += 2; /* swap the upper and lower bytes of blkhdr */ blkhdr = (((blkhdr&0xFF00)>>8)+ ((blkhdr&0x00FF)<<8)); /* the offset is the first 12 bits of the 16 bit value */ offset = (blkhdr&0xFFF0)>>4; /* the length of the dict entry are the last 4 bits */ length = (blkhdr&0x000F)+2; // add the value we are about to print to the dictionary for (i=0; i < length; i++) { unsigned char c1; c1 = dict[(offset+i)%4096]; dict[dict_length]=c1; dict_length = (dict_length+1) % 4096; if (out_ptr < out_size) out_buf[out_ptr++] = c1; } } } else { // one byte available? if (in_ptr < in_size) { // uncompressed chunk (single byte) char c1 = rtfcomp[in_ptr++]; dict[dict_length] = c1; dict_length = (dict_length+1)%4096; if (out_ptr < out_size) out_buf[out_ptr++] = c1; } } flag_mask <<= 1; } } // the compressed version doesn't appear to drop the closing // braces onto the doc, so we do that here. if (out_ptr < out_size) out_buf[out_ptr++] = '}'; if (out_ptr < out_size) out_buf[out_ptr++] = '}'; *size = out_ptr; if (out_ptr < out_size) out_buf[out_ptr++] = '\0'; return out_buf; }