[hivex/el5] Fix handling of invalid hive files.

Tue Nov 25 13:24:14 UTC 2014

commit fd938bff1ddef1c1f12aec8c08b35bce702f82cd
Author: Richard W.M. Jones <rjones at redhat.com>
Date:   Tue Nov 25 13:24:02 2014 +0000

    Fix handling of invalid hive files.

 ...e-Refuse-to-open-files-8192-bytes-in-size.patch |   35 ++++++++++++++++++++
 ...k-that-pages-do-not-extend-beyond-the-end.patch |   32 ++++++++++++++++++
 hivex.spec                                         |   11 ++++++-
 3 files changed, 77 insertions(+), 1 deletions(-)
---

diff --git a/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch b/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch
new file mode 100644
index 0000000..ac5dbf6
--- /dev/null
+++ b/0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch
@@ -0,0 +1,35 @@
+From 357f26fa64fd1d9ccac2331fe174a8ee9c607adb Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones at redhat.com>
+Date: Thu, 30 Oct 2014 13:50:39 +0000
+Subject: [PATCH 1/2] handle: Refuse to open files < 8192 bytes in size.
+
+These cannot be valid hives, since they don't contain a full header
+page and at least a single page of data (in other words they couldn't
+contain a root node).
+
+Thanks: Mahmoud Al-Qudsi
+---
+ lib/handle.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index 62a8644..a3cbcf7 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -104,6 +104,13 @@ hivex_open (const char *filename, int flags)
+ 
+   h->size = statbuf.st_size;
+ 
++  if (h->size < 0x2000) {
++    SET_ERRNO (EINVAL,
++               "%s: file is too small to be a Windows NT Registry hive file",
++               filename);
++    goto error;
++  }
++
+   if (!h->writable) {
+     h->addr = mmap (NULL, h->size, PROT_READ, MAP_SHARED, h->fd, 0);
+     if (h->addr == MAP_FAILED)
+-- 
+2.1.0
+
diff --git a/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch b/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch
new file mode 100644
index 0000000..7977e16
--- /dev/null
+++ b/0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch
@@ -0,0 +1,32 @@
+From 4bbdf555f88baeae0fa804a369a81a83908bd705 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones at redhat.com>
+Date: Thu, 30 Oct 2014 14:02:25 +0000
+Subject: [PATCH 2/2] handle: Check that pages do not extend beyond the end of
+ the file.
+
+Thanks: Mahmoud Al-Qudsi
+---
+ lib/handle.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/handle.c b/lib/handle.c
+index a3cbcf7..3a8f09b 100644
+--- a/lib/handle.c
++++ b/lib/handle.c
+@@ -247,6 +247,13 @@ hivex_open (const char *filename, int flags)
+       goto error;
+     }
+ 
++    if (off + page_size > h->size) {
++      SET_ERRNO (ENOTSUP,
++                 "%s: page size %zu at 0x%zx extends beyond end of file, bad registry",
++                 filename, page_size, off);
++      goto error;
++    }
++
+     /* Read the blocks in this page. */
+     size_t blkoff;
+     struct ntreg_hbin_block *block;
+-- 
+2.1.0
+
diff --git a/hivex.spec b/hivex.spec
index 8f3742a..bcaf672 100644
--- a/hivex.spec
+++ b/hivex.spec
@@ -1,6 +1,6 @@
 Name:           hivex
 Version:        1.3.5
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Read and write Windows Registry binary hive files
 
 Group:          Development/Libraries
@@ -33,6 +33,10 @@ Patch0003:      0003-RHEL-5-build-Define-builddir-abs_srcdir-if-they-don-.patch
 Patch4:         %{name}-1.2.3-dirs.patch
 BuildRequires:  autoconf, automake, libtool
 
+# Fix handling of invalid hive files.
+Patch5:         0001-handle-Refuse-to-open-files-8192-bytes-in-size.patch
+Patch6:         0002-handle-Check-that-pages-do-not-extend-beyond-the-end.patch
+
 
 %description
 Hive files are the undocumented binary blobs that Windows uses to
@@ -114,6 +118,8 @@ python-%{name} contains Python bindings for %{name}.
 %patch0002 -p1
 %patch0003 -p1
 %patch4 -p1 -b .dirs
+%patch5 -p1
+%patch6 -p1
 autoreconf
 
 
@@ -199,6 +205,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Nov 25 2014 Richard W.M. Jones <rjones at redhat.com> - 1:1.3.5-6
+- Fix handling of invalid hive files.
+
 * Fri Mar 30 2012 Richard W.M. Jones <rjones at redhat.com> - 1:1.3.5-5
 - Copy Fedora Rawhide to EPEL 5 (RHBZ#808193).
 - Disable OCaml, Ruby bindings, since these can't be built on RHEL 5.
