From 441ea7b10e929d1de0c86e0bbb4eac8ac6bb9097 Mon Sep 17 00:00:00 2001 From: Colin Finck Date: Tue, 24 Jan 2023 21:20:17 +0100 Subject: [PATCH] Fix out-of-bounds access in `Record::fixup()` This change also optimizes the routine by performing the validation only once and not in every iteration. Fixes #24 --- src/record.rs | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/record.rs b/src/record.rs index 3003130..1c8c8e0 100644 --- a/src/record.rs +++ b/src/record.rs @@ -1,4 +1,4 @@ -// Copyright 2021-2022 Colin Finck +// Copyright 2021-2023 Colin Finck // SPDX-License-Identifier: MIT OR Apache-2.0 use core::mem; @@ -40,6 +40,15 @@ impl Record { let mut array_position = self.update_sequence_array_start() as usize; let array_end = self.update_sequence_offset() as usize + self.update_sequence_size() as usize; + let sectors_end = self.update_sequence_array_count() as usize * NTFS_BLOCK_SIZE; + + if array_end > self.data.len() || sectors_end > self.data.len() { + return Err(NtfsError::UpdateSequenceArrayExceedsRecordSize { + position: self.position, + array_count: self.update_sequence_array_count(), + record_size: self.data.len(), + }); + } // The Update Sequence Number (USN) is written to the last 2 bytes of each sector. let mut sector_position = NTFS_BLOCK_SIZE - mem::size_of::(); @@ -48,14 +57,6 @@ impl Record { let array_position_end = array_position + mem::size_of::(); let sector_position_end = sector_position + mem::size_of::(); - if sector_position_end > self.data.len() { - return Err(NtfsError::UpdateSequenceArrayExceedsRecordSize { - position: self.position, - array_count: self.update_sequence_array_count(), - record_size: self.data.len(), - }); - } - // The array contains the actual 2 bytes that need to be at `sector_position` after the fixup. let new_bytes: [u8; 2] = self.data[array_position..array_position_end] .try_into()