From ecd3cabea36dc5572b5a9420b8b6870a9be584aa Mon Sep 17 00:00:00 2001
From: Brian Carrier <carrier@sleuthkit.org>
Date: Tue, 29 Sep 2015 22:29:19 -0400
Subject: [PATCH] bounds check.  Fixes #528

---
 tsk/fs/ntfs_dent.cpp | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/tsk/fs/ntfs_dent.cpp b/tsk/fs/ntfs_dent.cpp
index e5b722b1a..627173d3f 100644
--- a/tsk/fs/ntfs_dent.cpp
+++ b/tsk/fs/ntfs_dent.cpp
@@ -1060,8 +1060,8 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
 
             /* Length from end of attribute to start of this */
             rec_len =
-                (uint32_t) (idxalloc_len - (uintptr_t) idxrec_p -
-                (uintptr_t) idxalloc);
+                (uint32_t) (idxalloc_len - ((uintptr_t) idxrec_p -
+                (uintptr_t) idxalloc));
 
             if (tsk_verbose)
                 tsk_fprintf(stderr,
@@ -1075,6 +1075,16 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
             }
 
             idxelist = &idxrec_p->list;
+            if (tsk_getu32(a_fs->endian, idxelist->begin_off) > rec_len) {
+                tsk_error_reset();
+                tsk_error_set_errno(TSK_ERR_FS_INODE_COR);
+                tsk_error_set_errstr
+                    ("Error: Index list offsets are invalid on entry: %"
+                    PRIuINUM, fs_dir->fs_file->meta->addr);
+                free(idxalloc);
+                return TSK_COR;
+            }
+
             idxe = (ntfs_idxentry *) ((uintptr_t) idxelist +
                 tsk_getu32(a_fs->endian, idxelist->begin_off));
 
-- 
GitLab