From 9d43930f2caae256884b0c567bdfc818b7ce988c Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Fri, 30 Jul 2021 18:05:08 +0200
Subject: [PATCH] Fix OOB write in ntfs_proc_compunit and integer overflow in
 ntfs_uncompress_setup

---
 tsk/fs/ntfs.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index 1761856ac..ead397aa4 100755
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -851,7 +851,15 @@ static int
 ntfs_uncompress_setup(TSK_FS_INFO * fs, NTFS_COMP_INFO * comp,
     uint32_t compunit_size_c)
 {
+    if (fs->block_size == 0 || compunit_size_c == 0) {
+        return 1;
+    }
     comp->buf_size_b = fs->block_size * compunit_size_c;
+
+    // Detect an integer overflow e.g. 65536 * 65536
+    if (comp->buf_size_b < fs->block_size) {
+        return 1;
+    }
     if ((comp->uncomp_buf = tsk_malloc(comp->buf_size_b)) == NULL) {
         comp->buf_size_b = 0;
         return 1;
@@ -1214,6 +1222,11 @@ ntfs_proc_compunit(NTFS_INFO * ntfs, NTFS_COMP_INFO * comp,
         for (a = 0; a < comp_unit_size; a++) {
             ssize_t cnt;
 
+            // Prevent an OOB write of comp->uncomp_buf
+            if ((comp->uncomp_idx >= comp->buf_size_b) || (fs->block_size > comp->buf_size_b - comp->uncomp_idx)) {
+                return 1;
+            }
+
             cnt =
                 tsk_fs_read_block(fs, comp_unit[a],
                 &comp->uncomp_buf[comp->uncomp_idx], fs->block_size);
-- 
GitLab