--- embedaddon/php/ext/fileinfo/libmagic/cdf.c 2012/02/21 23:47:56 1.1.1.1 +++ embedaddon/php/ext/fileinfo/libmagic/cdf.c 2014/06/15 20:03:48 1.1.1.4 @@ -24,15 +24,18 @@ * POSSIBILITY OF SUCH DAMAGE. */ /* - * Parse composite document files, the format used in Microsoft Office - * document files before they switched to zipped xml. + * Parse Composite Document Files, the format used in Microsoft Office + * document files before they switched to zipped XML. * Info from: http://sc.openoffice.org/compdocfileformat.pdf + * + * N.B. This is the "Composite Document File" format, and not the + * "Compound Document Format", nor the "Channel Definition Format". */ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:47 christos Exp $") +FILE_RCSID("@(#)$File: cdf.c,v 1.53 2013/02/26 16:20:42 christos Exp $") #endif #include @@ -54,6 +57,9 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:4 #include #include #include +#ifdef HAVE_LIMITS_H +#include +#endif #ifndef EFTYPE #define EFTYPE EINVAL @@ -61,10 +67,6 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:4 #include "cdf.h" -#ifndef __arraycount -#define __arraycount(a) (sizeof(a) / sizeof(a[0])) -#endif - #ifdef CDF_DEBUG #define DPRINTF(a) printf a, fflush(stdout) #else @@ -78,19 +80,21 @@ static union { #define NEED_SWAP (cdf_bo.u == (uint32_t)0x01020304) -#define CDF_TOLE8(x) (NEED_SWAP ? cdf_tole8(x) : (uint64_t)(x)) -#define CDF_TOLE4(x) (NEED_SWAP ? cdf_tole4(x) : (uint32_t)(x)) -#define CDF_TOLE2(x) (NEED_SWAP ? cdf_tole2(x) : (uint16_t)(x)) +#define CDF_TOLE8(x) ((uint64_t)(NEED_SWAP ? _cdf_tole8(x) : (uint64_t)(x))) +#define CDF_TOLE4(x) ((uint32_t)(NEED_SWAP ? _cdf_tole4(x) : (uint32_t)(x))) +#define CDF_TOLE2(x) ((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x))) +#define CDF_GETUINT32(x, y) cdf_getuint32(x, y) + /* * swap a short */ -uint16_t -cdf_tole2(uint16_t sv) +static uint16_t +_cdf_tole2(uint16_t sv) { uint16_t rv; - uint8_t *s = (uint8_t *)(void *)&sv; - uint8_t *d = (uint8_t *)(void *)&rv; + uint8_t *s = (uint8_t *)(void *)&sv; + uint8_t *d = (uint8_t *)(void *)&rv; d[0] = s[1]; d[1] = s[0]; return rv; @@ -99,12 +103,12 @@ cdf_tole2(uint16_t sv) /* * swap an int */ -uint32_t -cdf_tole4(uint32_t sv) +static uint32_t +_cdf_tole4(uint32_t sv) { uint32_t rv; - uint8_t *s = (uint8_t *)(void *)&sv; - uint8_t *d = (uint8_t *)(void *)&rv; + uint8_t *s = (uint8_t *)(void *)&sv; + uint8_t *d = (uint8_t *)(void *)&rv; d[0] = s[3]; d[1] = s[2]; d[2] = s[1]; @@ -115,12 +119,12 @@ cdf_tole4(uint32_t sv) /* * swap a quad */ -uint64_t -cdf_tole8(uint64_t sv) +static uint64_t +_cdf_tole8(uint64_t sv) { uint64_t rv; - uint8_t *s = (uint8_t *)(void *)&sv; - uint8_t *d = (uint8_t *)(void *)&rv; + uint8_t *s = (uint8_t *)(void *)&sv; + uint8_t *d = (uint8_t *)(void *)&rv; d[0] = s[7]; d[1] = s[6]; d[2] = s[5]; @@ -132,11 +136,41 @@ cdf_tole8(uint64_t sv) return rv; } +/* + * grab a uint32_t from a possibly unaligned address, and return it in + * the native host order. + */ +static uint32_t +cdf_getuint32(const uint8_t *p, size_t offs) +{ + uint32_t rv; + (void)memcpy(&rv, p + offs * sizeof(uint32_t), sizeof(rv)); + return CDF_TOLE4(rv); +} + #define CDF_UNPACK(a) \ (void)memcpy(&(a), &buf[len], sizeof(a)), len += sizeof(a) #define CDF_UNPACKA(a) \ (void)memcpy((a), &buf[len], sizeof(a)), len += sizeof(a) +uint16_t +cdf_tole2(uint16_t sv) +{ + return CDF_TOLE2(sv); +} + +uint32_t +cdf_tole4(uint32_t sv) +{ + return CDF_TOLE4(sv); +} + +uint64_t +cdf_tole8(uint64_t sv) +{ + return CDF_TOLE8(sv); +} + void cdf_swap_header(cdf_header_t *h) { @@ -155,15 +189,15 @@ cdf_swap_header(cdf_header_t *h) h->h_min_size_standard_stream = CDF_TOLE4(h->h_min_size_standard_stream); h->h_secid_first_sector_in_short_sat = - CDF_TOLE4(h->h_secid_first_sector_in_short_sat); + CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_short_sat); h->h_num_sectors_in_short_sat = CDF_TOLE4(h->h_num_sectors_in_short_sat); h->h_secid_first_sector_in_master_sat = - CDF_TOLE4(h->h_secid_first_sector_in_master_sat); + CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_master_sat); h->h_num_sectors_in_master_sat = CDF_TOLE4(h->h_num_sectors_in_master_sat); for (i = 0; i < __arraycount(h->h_master_sat); i++) - h->h_master_sat[i] = CDF_TOLE4(h->h_master_sat[i]); + h->h_master_sat[i] = CDF_TOLE4((uint32_t)h->h_master_sat[i]); } void @@ -196,15 +230,15 @@ void cdf_swap_dir(cdf_directory_t *d) { d->d_namelen = CDF_TOLE2(d->d_namelen); - d->d_left_child = CDF_TOLE4(d->d_left_child); - d->d_right_child = CDF_TOLE4(d->d_right_child); - d->d_storage = CDF_TOLE4(d->d_storage); + d->d_left_child = CDF_TOLE4((uint32_t)d->d_left_child); + d->d_right_child = CDF_TOLE4((uint32_t)d->d_right_child); + d->d_storage = CDF_TOLE4((uint32_t)d->d_storage); d->d_storage_uuid[0] = CDF_TOLE8(d->d_storage_uuid[0]); d->d_storage_uuid[1] = CDF_TOLE8(d->d_storage_uuid[1]); d->d_flags = CDF_TOLE4(d->d_flags); - d->d_created = CDF_TOLE8(d->d_created); - d->d_modified = CDF_TOLE8(d->d_modified); - d->d_stream_first_sector = CDF_TOLE4(d->d_stream_first_sector); + d->d_created = CDF_TOLE8((uint64_t)d->d_created); + d->d_modified = CDF_TOLE8((uint64_t)d->d_modified); + d->d_stream_first_sector = CDF_TOLE4((uint32_t)d->d_stream_first_sector); d->d_size = CDF_TOLE4(d->d_size); } @@ -238,14 +272,18 @@ cdf_unpack_dir(cdf_directory_t *d, char *buf) } static int -cdf_check_stream_offset(const cdf_stream_t *sst, const void *p, size_t tail) +cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, + const void *p, size_t tail, int line) { const char *b = (const char *)sst->sst_tab; const char *e = ((const char *)p) + tail; - if (e >= b && (size_t)(e - b) < sst->sst_dirlen * sst->sst_len) + (void)&line; + if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len) return 0; - DPRINTF((stderr, "offset begin %p end %p %zu >= %zu\n", b, e, - (size_t)(e - b), sst->sst_dirlen * sst->sst_len)); + DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u" + " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), + CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); errno = EFTYPE; return -1; } @@ -268,10 +306,10 @@ cdf_read(const cdf_info_t *info, off_t off, void *buf, if (info->i_fd == -1) return -1; - if (lseek(info->i_fd, off, SEEK_SET) == (off_t)-1) + if (FINFO_LSEEK_FUNC(info->i_fd, off, SEEK_SET) == (off_t)-1) return -1; - if (read(info->i_fd, buf, len) != (ssize_t)len) + if (FINFO_READ_FUNC(info->i_fd, buf, len) != (ssize_t)len) return -1; return (ssize_t)len; @@ -288,7 +326,8 @@ cdf_read_header(const cdf_info_t *info, cdf_header_t * cdf_unpack_header(h, buf); cdf_swap_header(h); if (h->h_magic != CDF_MAGIC) { - DPRINTF(("Bad magic 0x%llx != 0x%llx\n", + DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%" + INT64_T_FORMAT "x\n", (unsigned long long)h->h_magic, (unsigned long long)CDF_MAGIC)); goto out; @@ -313,18 +352,27 @@ ssize_t cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len, const cdf_header_t *h, cdf_secid_t id) { - assert((size_t)CDF_SEC_SIZE(h) == len); - return cdf_read(info, (off_t)CDF_SEC_POS(h, id), - ((char *)buf) + offs, len); + size_t ss = CDF_SEC_SIZE(h); + size_t pos = CDF_SEC_POS(h, id); + assert(ss == len); + return cdf_read(info, (off_t)pos, ((char *)buf) + offs, len); } ssize_t cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, size_t len, const cdf_header_t *h, cdf_secid_t id) { - assert((size_t)CDF_SHORT_SEC_SIZE(h) == len); + size_t ss = CDF_SHORT_SEC_SIZE(h); + size_t pos = CDF_SHORT_SEC_POS(h, id); + assert(ss == len); + if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { + DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" + SIZE_T_FORMAT "u\n", + pos, CDF_SEC_SIZE(h) * sst->sst_len)); + return -1; + } (void)memcpy(((char *)buf) + offs, - ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len); + ((const char *)sst->sst_tab) + pos, len); return len; } @@ -344,17 +392,20 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, break; #define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss)) - if (h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec || + if ((nsatpersec > 0 && + h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) || i > CDF_SEC_LIMIT) { - DPRINTF(("Number of sectors in master SAT too big %u %zu\n", - h->h_num_sectors_in_master_sat, i)); + DPRINTF(("Number of sectors in master SAT too big %u %" + SIZE_T_FORMAT "u\n", h->h_num_sectors_in_master_sat, i)); errno = EFTYPE; return -1; } sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i; - DPRINTF(("sat_len = %zu ss = %zu\n", sat->sat_len, ss)); - if ((sat->sat_tab = calloc(sat->sat_len, ss)) == NULL) + DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n", + sat->sat_len, ss)); + if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss))) + == NULL) return -1; for (i = 0; i < __arraycount(h->h_master_sat); i++) { @@ -367,7 +418,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, } } - if ((msa = calloc(1, ss)) == NULL) + if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL) goto out1; mid = h->h_secid_first_sector_in_master_sat; @@ -384,12 +435,12 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, goto out2; } for (k = 0; k < nsatpersec; k++, i++) { - sec = CDF_TOLE4(msa[k]); + sec = CDF_TOLE4((uint32_t)msa[k]); if (sec < 0) goto out; if (i >= sat->sat_len) { - DPRINTF(("Out of bounds reading MSA %u >= %u", - i, sat->sat_len)); + DPRINTF(("Out of bounds reading MSA %" SIZE_T_FORMAT + "u >= %" SIZE_T_FORMAT "u", i, sat->sat_len)); errno = EFTYPE; goto out2; } @@ -400,7 +451,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, goto out2; } } - mid = CDF_TOLE4(msa[nsatpersec]); + mid = CDF_TOLE4((uint32_t)msa[nsatpersec]); } out: sat->sat_len = i; @@ -432,7 +483,7 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, errno = EFTYPE; return (size_t)-1; } - sid = CDF_TOLE4(sat->sat_tab[sid]); + sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); } DPRINTF(("\n")); return i; @@ -462,7 +513,8 @@ cdf_read_long_sector_chain(const cdf_info_t *info, con } if (i >= scn->sst_len) { DPRINTF(("Out of bounds reading long sector chain " - "%u > %u\n", i, scn->sst_len)); + "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, + scn->sst_len)); errno = EFTYPE; goto out; } @@ -475,7 +527,7 @@ cdf_read_long_sector_chain(const cdf_info_t *info, con DPRINTF(("Reading long sector chain %d", sid)); goto out; } - sid = CDF_TOLE4(sat->sat_tab[sid]); + sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); } return 0; out: @@ -507,7 +559,8 @@ cdf_read_short_sector_chain(const cdf_header_t *h, } if (i >= scn->sst_len) { DPRINTF(("Out of bounds reading short sector chain " - "%u > %u\n", i, scn->sst_len)); + "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", + i, scn->sst_len)); errno = EFTYPE; goto out; } @@ -516,7 +569,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h, DPRINTF(("Reading short sector chain %d", sid)); goto out; } - sid = CDF_TOLE4(ssat->sat_tab[sid]); + sid = CDF_TOLE4((uint32_t)ssat->sat_tab[sid]); } return 0; out: @@ -530,7 +583,7 @@ cdf_read_sector_chain(const cdf_info_t *info, const cd cdf_secid_t sid, size_t len, cdf_stream_t *scn) { - if (len < h->h_min_size_standard_stream) + if (len < h->h_min_size_standard_stream && sst->sst_tab != NULL) return cdf_read_short_sector_chain(h, ssat, sst, sid, len, scn); else @@ -553,11 +606,12 @@ cdf_read_dir(const cdf_info_t *info, const cdf_header_ nd = ss / CDF_DIRECTORY_SIZE; dir->dir_len = ns * nd; - dir->dir_tab = calloc(dir->dir_len, sizeof(dir->dir_tab[0])); + dir->dir_tab = CAST(cdf_directory_t *, + calloc(dir->dir_len, sizeof(dir->dir_tab[0]))); if (dir->dir_tab == NULL) return -1; - if ((buf = malloc(ss)) == NULL) { + if ((buf = CAST(char *, malloc(ss))) == NULL) { free(dir->dir_tab); return -1; } @@ -576,7 +630,7 @@ cdf_read_dir(const cdf_info_t *info, const cdf_header_ cdf_unpack_dir(&dir->dir_tab[i * nd + j], &buf[j * CDF_DIRECTORY_SIZE]); } - sid = CDF_TOLE4(sat->sat_tab[sid]); + sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); } if (NEED_SWAP) for (i = 0; i < dir->dir_len; i++) @@ -602,7 +656,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_header if (ssat->sat_len == (size_t)-1) return -1; - ssat->sat_tab = calloc(ssat->sat_len, ss); + ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss)); if (ssat->sat_tab == NULL) return -1; @@ -614,7 +668,8 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_header } if (i >= ssat->sat_len) { DPRINTF(("Out of bounds reading short sector chain " - "%u > %u\n", i, ssat->sat_len)); + "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, + ssat->sat_len)); errno = EFTYPE; goto out; } @@ -623,7 +678,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_header DPRINTF(("Reading short sat sector %d", sid)); goto out; } - sid = CDF_TOLE4(sat->sat_tab[sid]); + sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); } return 0; out: @@ -651,7 +706,7 @@ cdf_read_short_stream(const cdf_info_t *info, const cd if (d->d_stream_first_sector < 0) goto out; - return cdf_read_long_sector_chain(info, h, sat, + return cdf_read_long_sector_chain(info, h, sat, d->d_stream_first_sector, d->d_size, scn); out: scn->sst_tab = NULL; @@ -678,44 +733,45 @@ cdf_read_summary_info(const cdf_info_t *info, const cd const cdf_directory_t *d; static const char name[] = "\05SummaryInformation"; - for (i = 0; i < dir->dir_len; i++) - if (dir->dir_tab[i].d_type == CDF_DIR_TYPE_USER_STREAM && - cdf_namecmp(name, dir->dir_tab[i].d_name, sizeof(name)) + for (i = dir->dir_len; i > 0; i--) + if (dir->dir_tab[i - 1].d_type == CDF_DIR_TYPE_USER_STREAM && + cdf_namecmp(name, dir->dir_tab[i - 1].d_name, sizeof(name)) == 0) break; - if (i == dir->dir_len) { + if (i == 0) { DPRINTF(("Cannot find summary information section\n")); - errno = EFTYPE; + errno = ESRCH; return -1; } - d = &dir->dir_tab[i]; + d = &dir->dir_tab[i - 1]; return cdf_read_sector_chain(info, h, sat, ssat, sst, d->d_stream_first_sector, d->d_size, scn); } int -cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs, - cdf_property_info_t **info, size_t *count, size_t *maxcount) +cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount) { const cdf_section_header_t *shp; cdf_section_header_t sh; - const uint32_t *p, *q, *e; + const uint8_t *p, *q, *e; int16_t s16; int32_t s32; uint32_t u32; int64_t s64; uint64_t u64; cdf_timestamp_t tp; - size_t i, o, nelements, j; + size_t i, o, o4, nelements, j; cdf_property_info_t *inp; if (offs > UINT32_MAX / 4) { errno = EFTYPE; goto out; } - shp = (const void *)((const char *)sst->sst_tab + offs); - if (cdf_check_stream_offset(sst, shp, sizeof(*shp)) == -1) + shp = CAST(const cdf_section_header_t *, (const void *) + ((const char *)sst->sst_tab + offs)); + if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1) goto out; sh.sh_len = CDF_TOLE4(shp->sh_len); #define CDF_SHLEN_LIMIT (UINT32_MAX / 8) @@ -733,105 +789,143 @@ cdf_read_property_info(const cdf_stream_t *sst, uint32 if (*maxcount > CDF_PROP_LIMIT) goto out; *maxcount += sh.sh_properties; - inp = realloc(*info, *maxcount * sizeof(*inp)); + inp = CAST(cdf_property_info_t *, + realloc(*info, *maxcount * sizeof(*inp))); } else { *maxcount = sh.sh_properties; - inp = malloc(*maxcount * sizeof(*inp)); + inp = CAST(cdf_property_info_t *, + malloc(*maxcount * sizeof(*inp))); } if (inp == NULL) goto out; *info = inp; inp += *count; *count += sh.sh_properties; - p = (const void *)((const char *)sst->sst_tab + offs + sizeof(sh)); - e = (const void *)(((const char *)shp) + sh.sh_len); - if (cdf_check_stream_offset(sst, e, 0) == -1) + p = CAST(const uint8_t *, (const void *) + ((const char *)(const void *)sst->sst_tab + + offs + sizeof(sh))); + e = CAST(const uint8_t *, (const void *) + (((const char *)(const void *)shp) + sh.sh_len)); + if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) goto out; for (i = 0; i < sh.sh_properties; i++) { - q = (const uint32_t *)((const char *)p + - CDF_TOLE4(p[(i << 1) + 1])) - 2; + size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); if (q > e) { DPRINTF(("Ran of the end %p > %p\n", q, e)); goto out; } - inp[i].pi_id = CDF_TOLE4(p[i << 1]); - inp[i].pi_type = CDF_TOLE4(q[0]); - DPRINTF(("%d) id=%x type=%x offs=%x\n", i, inp[i].pi_id, - inp[i].pi_type, (const char *)q - (const char *)p)); + inp[i].pi_id = CDF_GETUINT32(p, i << 1); + inp[i].pi_type = CDF_GETUINT32(q, 0); + DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n", + i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { - nelements = CDF_TOLE4(q[1]); + nelements = CDF_GETUINT32(q, 1); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; o = 1; } + o4 = o * sizeof(uint32_t); if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED)) goto unknown; switch (inp[i].pi_type & CDF_TYPEMASK) { + case CDF_NULL: case CDF_EMPTY: break; case CDF_SIGNED16: if (inp[i].pi_type & CDF_VECTOR) goto unknown; - (void)memcpy(&s16, &q[o], sizeof(s16)); + (void)memcpy(&s16, &q[o4], sizeof(s16)); inp[i].pi_s16 = CDF_TOLE2(s16); break; case CDF_SIGNED32: if (inp[i].pi_type & CDF_VECTOR) goto unknown; - (void)memcpy(&s32, &q[o], sizeof(s32)); - inp[i].pi_s32 = CDF_TOLE4(s32); + (void)memcpy(&s32, &q[o4], sizeof(s32)); + inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32); break; case CDF_BOOL: case CDF_UNSIGNED32: if (inp[i].pi_type & CDF_VECTOR) goto unknown; - (void)memcpy(&u32, &q[o], sizeof(u32)); + (void)memcpy(&u32, &q[o4], sizeof(u32)); inp[i].pi_u32 = CDF_TOLE4(u32); break; case CDF_SIGNED64: if (inp[i].pi_type & CDF_VECTOR) goto unknown; - (void)memcpy(&s64, &q[o], sizeof(s64)); - inp[i].pi_s64 = CDF_TOLE4(s64); + (void)memcpy(&s64, &q[o4], sizeof(s64)); + inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64); break; case CDF_UNSIGNED64: if (inp[i].pi_type & CDF_VECTOR) goto unknown; - (void)memcpy(&u64, &q[o], sizeof(u64)); - inp[i].pi_u64 = CDF_TOLE4(u64); + (void)memcpy(&u64, &q[o4], sizeof(u64)); + inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64); break; + case CDF_FLOAT: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; + (void)memcpy(&u32, &q[o4], sizeof(u32)); + u32 = CDF_TOLE4(u32); + memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f)); + break; + case CDF_DOUBLE: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; + (void)memcpy(&u64, &q[o4], sizeof(u64)); + u64 = CDF_TOLE8((uint64_t)u64); + memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d)); + break; case CDF_LENGTH32_STRING: + case CDF_LENGTH32_WSTRING: if (nelements > 1) { size_t nelem = inp - *info; if (*maxcount > CDF_PROP_LIMIT || nelements > CDF_PROP_LIMIT) goto out; *maxcount += nelements; - inp = realloc(*info, *maxcount * sizeof(*inp)); + inp = CAST(cdf_property_info_t *, + realloc(*info, *maxcount * sizeof(*inp))); if (inp == NULL) goto out; *info = inp; inp = *info + nelem; } - DPRINTF(("nelements = %d\n", nelements)); - for (j = 0; j < nelements; j++, i++) { - uint32_t l = CDF_TOLE4(q[o]); + DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", + nelements)); + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { + uint32_t l = CDF_GETUINT32(q, o); inp[i].pi_str.s_len = l; - inp[i].pi_str.s_buf = (const char *)(&q[o+1]); - DPRINTF(("l = %d, r = %d, s = %s\n", l, + inp[i].pi_str.s_buf = (const char *) + (const void *)(&q[o4 + sizeof(l)]); + DPRINTF(("l = %d, r = %" SIZE_T_FORMAT + "u, s = %s\n", l, CDF_ROUND(l, sizeof(l)), inp[i].pi_str.s_buf)); - l = 4 + CDF_ROUND(l, sizeof(l)); - o += l >> 2; + if (l & 1) + l++; + o += l >> 1; + if (q + o >= e) + goto out; + o4 = o * sizeof(uint32_t); } i--; break; case CDF_FILETIME: if (inp[i].pi_type & CDF_VECTOR) goto unknown; - (void)memcpy(&tp, &q[o], sizeof(tp)); - inp[i].pi_tp = CDF_TOLE8(tp); + (void)memcpy(&tp, &q[o4], sizeof(tp)); + inp[i].pi_tp = CDF_TOLE8((uint64_t)tp); break; case CDF_CLIPBOARD: if (inp[i].pi_type & CDF_VECTOR) @@ -841,7 +935,7 @@ cdf_read_property_info(const cdf_stream_t *sst, uint32 unknown: DPRINTF(("Don't know how to deal with %x\n", inp[i].pi_type)); - goto out; + break; } } return 0; @@ -851,36 +945,31 @@ out: } int -cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi, - cdf_property_info_t **info, size_t *count) +cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, + cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) { - size_t i, maxcount; - const cdf_summary_info_header_t *si = sst->sst_tab; - const cdf_section_declaration_t *sd = (const void *) - ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET); + size_t maxcount; + const cdf_summary_info_header_t *si = + CAST(const cdf_summary_info_header_t *, sst->sst_tab); + const cdf_section_declaration_t *sd = + CAST(const cdf_section_declaration_t *, (const void *) + ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET)); - if (cdf_check_stream_offset(sst, si, sizeof(*si)) == -1 || - cdf_check_stream_offset(sst, sd, sizeof(*sd)) == -1) + if (cdf_check_stream_offset(sst, h, si, sizeof(*si), __LINE__) == -1 || + cdf_check_stream_offset(sst, h, sd, sizeof(*sd), __LINE__) == -1) return -1; ssi->si_byte_order = CDF_TOLE2(si->si_byte_order); ssi->si_os_version = CDF_TOLE2(si->si_os_version); ssi->si_os = CDF_TOLE2(si->si_os); ssi->si_class = si->si_class; cdf_swap_class(&ssi->si_class); - ssi->si_count = CDF_TOLE2(si->si_count); + ssi->si_count = CDF_TOLE4(si->si_count); *count = 0; maxcount = 0; *info = NULL; - for (i = 0; i < CDF_TOLE4(si->si_count); i++) { - if (i >= CDF_LOOP_LIMIT) { - DPRINTF(("Unpack summary info loop limit")); - errno = EFTYPE; + if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info, + count, &maxcount) == -1) return -1; - } - if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset), - info, count, &maxcount) == -1) - return -1; - } return 0; } @@ -936,32 +1025,32 @@ cdf_print_property_name(char *buf, size_t bufsiz, uint int cdf_print_elapsed_time(char *buf, size_t bufsiz, cdf_timestamp_t ts) { - size_t len = 0; + int len = 0; int days, hours, mins, secs; ts /= CDF_TIME_PREC; - secs = ts % 60; + secs = (int)(ts % 60); ts /= 60; - mins = ts % 60; + mins = (int)(ts % 60); ts /= 60; - hours = ts % 24; + hours = (int)(ts % 24); ts /= 24; - days = ts; + days = (int)ts; if (days) { len += snprintf(buf + len, bufsiz - len, "%dd+", days); - if (len >= bufsiz) + if ((size_t)len >= bufsiz) return len; } if (days || hours) { len += snprintf(buf + len, bufsiz - len, "%.2d:", hours); - if (len >= bufsiz) + if ((size_t)len >= bufsiz) return len; } len += snprintf(buf + len, bufsiz - len, "%.2d:", mins); - if (len >= bufsiz) + if ((size_t)len >= bufsiz) return len; len += snprintf(buf + len, bufsiz - len, "%.2d", secs); @@ -1004,13 +1093,14 @@ cdf_dump_sat(const char *prefix, const cdf_sat_t *sat, size_t i, j, s = size / sizeof(cdf_secid_t); for (i = 0; i < sat->sat_len; i++) { - (void)fprintf(stderr, "%s[%zu]:\n%.6d: ", prefix, i, i * s); + (void)fprintf(stderr, "%s[%" SIZE_T_FORMAT "u]:\n%.6" + SIZE_T_FORMAT "u: ", prefix, i, i * s); for (j = 0; j < s; j++) { (void)fprintf(stderr, "%5d, ", CDF_TOLE4(sat->sat_tab[s * i + j])); if ((j + 1) % 10 == 0) - (void)fprintf(stderr, "\n%.6d: ", - i * s + j + 1); + (void)fprintf(stderr, "\n%.6" SIZE_T_FORMAT + "u: ", i * s + j + 1); } (void)fprintf(stderr, "\n"); } @@ -1029,7 +1119,8 @@ cdf_dump(void *v, size_t len) if (j == 16) { j = 0; abuf[15] = '\0'; - (void)fprintf(stderr, "%s\n%.4x: ", abuf, i + 1); + (void)fprintf(stderr, "%s\n%.4" SIZE_T_FORMAT "x: ", + abuf, i + 1); } } (void)fprintf(stderr, "\n"); @@ -1061,7 +1152,8 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_header_ d = &dir->dir_tab[i]; for (j = 0; j < sizeof(name); j++) name[j] = (char)CDF_TOLE2(d->d_name[j]); - (void)fprintf(stderr, "Directory %zu: %s\n", i, name); + (void)fprintf(stderr, "Directory %" SIZE_T_FORMAT "u: %s\n", + i, name); if (d->d_type < __arraycount(types)) (void)fprintf(stderr, "Type: %s\n", types[d->d_type]); else @@ -1072,9 +1164,9 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_header_ (void)fprintf(stderr, "Right child: %d\n", d->d_right_child); (void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags); cdf_timestamp_to_timespec(&ts, d->d_created); - (void)fprintf(stderr, "Created %s", ctime(&ts.tv_sec)); + (void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec)); cdf_timestamp_to_timespec(&ts, d->d_modified); - (void)fprintf(stderr, "Modified %s", ctime(&ts.tv_sec)); + (void)fprintf(stderr, "Modified %s", cdf_ctime(&ts.tv_sec)); (void)fprintf(stderr, "Stream %d\n", d->d_stream_first_sector); (void)fprintf(stderr, "Size %d\n", d->d_size); switch (d->d_type) { @@ -1096,7 +1188,7 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_header_ default: break; } - + } } @@ -1106,12 +1198,14 @@ cdf_dump_property_info(const cdf_property_info_t *info cdf_timestamp_t tp; struct timeval ts; char buf[64]; - size_t i; + size_t i, j; for (i = 0; i < count; i++) { cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); - (void)fprintf(stderr, "%zu) %s: ", i, buf); + (void)fprintf(stderr, "%" SIZE_T_FORMAT "u) %s: ", i, buf); switch (info[i].pi_type) { + case CDF_NULL: + break; case CDF_SIGNED16: (void)fprintf(stderr, "signed 16 [%hd]\n", info[i].pi_s16); @@ -1124,11 +1218,26 @@ cdf_dump_property_info(const cdf_property_info_t *info (void)fprintf(stderr, "unsigned 32 [%u]\n", info[i].pi_u32); break; + case CDF_FLOAT: + (void)fprintf(stderr, "float [%g]\n", + info[i].pi_f); + break; + case CDF_DOUBLE: + (void)fprintf(stderr, "double [%g]\n", + info[i].pi_d); + break; case CDF_LENGTH32_STRING: (void)fprintf(stderr, "string %u [%.*s]\n", info[i].pi_str.s_len, info[i].pi_str.s_len, info[i].pi_str.s_buf); break; + case CDF_LENGTH32_WSTRING: + (void)fprintf(stderr, "string %u [", + info[i].pi_str.s_len); + for (j = 0; j < info[i].pi_str.s_len - 1; j++) + (void)fputc(info[i].pi_str.s_buf[j << 1], stderr); + (void)fprintf(stderr, "]\n"); + break; case CDF_FILETIME: tp = info[i].pi_tp; #if defined(PHP_WIN32) && _MSC_VER <= 1500 @@ -1141,7 +1250,7 @@ cdf_dump_property_info(const cdf_property_info_t *info } else { cdf_timestamp_to_timespec(&ts, tp); (void)fprintf(stderr, "timestamp %s", - ctime(&ts.tv_sec)); + cdf_ctime(&ts.tv_sec)); } break; case CDF_CLIPBOARD: @@ -1165,7 +1274,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const cdf size_t count; (void)&h; - if (cdf_unpack_summary_info(sst, &ssi, &info, &count) == -1) + if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1) return; (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order); (void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff, @@ -1217,7 +1326,7 @@ main(int argc, char *argv[]) if (cdf_read_ssat(&info, &h, &sat, &ssat) == -1) err(1, "Cannot read ssat"); #ifdef CDF_DEBUG - cdf_dump_sat("SSAT", &h, &ssat, CDF_SHORT_SEC_SIZE(&h)); + cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h)); #endif if (cdf_read_dir(&info, &h, &sat, &dir) == -1)