Skip to content

Commit

Permalink
Fix/crash corrupted iso (#154)
Browse files Browse the repository at this point in the history 
* check if SUSP is formatted correctly in order to prevent a crash

* update code style

* finish code refinement
  • Loading branch information
@r-fogash
r-fogash committed Sep 11, 2023
1 parent 40accde commit 9d822bf
Showing 1 changed file with 29 additions and 9 deletions.
38 changes: 29 additions & 9 deletions XADISO9660Parser.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -643,15 +643,35 @@ case TypeID('A','S'):
break;

case TypeID('C','E'):
{
if(length!=28) break;
if(system[pos+3]!=1) break;

uint32_t block=CSUInt32LE(&system[pos+4]);
uint32_t offset=CSUInt32LE(&system[pos+12]);
nextoffset=block*2048+offset;

nextlength=CSUInt32LE(&system[pos+20]);
{
if (length != 28) break;
if (system[pos+3] != 1) break;

/**
This region is a SUSP, define in SUSP IEEE P1281 section 5.1, which says that
the next fields shall be recorded according to ISO 9660:1988 Format section 7.3.3.
From ISO 9660:1988 7.3.3:
"A numerical value represented by the hexadecimal representation (st uv wx yz)
shall be recorded in an eight- byte field as (yz wx uv st st uv wx yz)."
We can read the next fields in BigEndian and LittleEndian format
and compare then in order to determine if the SUSP CE block is corrupted.
*/
uint32_t blockLE = CSUInt32LE(&system[pos+4]);
uint32_t blockBE = CSUInt32BE(&system[pos+8]);

uint32_t offsetLE = CSUInt32LE(&system[pos+12]);
uint32_t offsetBE = CSUInt32BE(&system[pos+16]);

uint32_t lengthLE = CSUInt32LE(&system[pos+20]);
uint32_t lengthBE = CSUInt32BE(&system[pos+24]);

if (blockLE != blockBE || offsetLE != offsetBE || lengthLE != lengthBE) {
break;
}

nextoffset = blockLE * 2048 + offsetLE;
nextlength = lengthLE;
}
break;

Expand Down

0 comments on commit 9d822bf

Please sign in to comment.