>From c22ed5a6cb58aff70bf74df5b7c1edd33d796ef4 Mon Sep 17 00:00:00 2001 From: Richard W.M. Jones Date: Wed, 13 Apr 2011 13:55:49 +0100 Subject: [PATCH 2/5] Return real length of buffer from hivex_value_value. In real registries, often the length declared in the header does not match the length of the block. In this case hivex_value_value would only allocate a value with a size which is the shorter of the two length values, which is correct and safe. However user code could do: buf = hivex_value_value (h, v, &t, &len); memcpy (somewhere, buf, len); which would copy uninitialized data. If hivex_value_value truncates a value like this, we also need to return the shorter length to the user as well. --- lib/hivex.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/lib/hivex.c b/lib/hivex.c index 3f4c629..b1f6ea6 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -1245,6 +1245,10 @@ hivex_value_value (hive_h *h, hive_value_h value, fprintf (stderr, "hivex_value_value: warning: declared data length is longer than the block it is in (data 0x%zx, data len %zu, block len %zu)\n", data_offset, len, blen); len = blen - 4; + + /* Return the smaller length to the caller too. */ + if (len_rtn) + *len_rtn = len; } char *data = h->addr + data_offset + 4; -- 1.7.4.1