[CDFS]

Add a few sanity checks to our handling of ISO 9660 / Joliet: - Null name entries are forbidden - Degenerated entries (mistmaching sizes) reveal broken layout In both cases, the lookup for a file is aborted and the CD considered as corrupted by the FSD. explorer displays empty CDs then. CORE-9254 #resolve #comment Fixed with r68233 svn path=/trunk/; revision=68233
2025-01-03 21:09:19 +00:00 · 2015-06-21 16:47:23 +00:00 · 2015-06-21 16:47:23 +00:00 · adb3662527
commit adb3662527
parent 3faaa34e03
2 changed files with 34 additions and 0 deletions
--- a/reactos/drivers/filesystems/cdfs/dirctl.c
+++ b/reactos/drivers/filesystems/cdfs/dirctl.c
@ -290,9 +290,26 @@ CdfsFindFile(PDEVICE_EXTENSION DeviceExt,
            return Status;
        }

+        if (Record->RecordLength < Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId))
+        {
+            DPRINT1("Found corrupted entry! %u - %u\n", Record->RecordLength, Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId));
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
        DPRINT("Name '%S'\n", name);

        RtlInitUnicodeString(&LongName, name);
+        /* Was the entry degenerated? */
+        if (LongName.Length < sizeof(WCHAR))
+        {
+            DPRINT1("Found entry with invalid name!\n");
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
        ShortName.Length = 0;
        ShortName.MaximumLength = 26;
        ShortName.Buffer = ShortNameBuffer;
--- a/reactos/drivers/filesystems/cdfs/fcb.c
+++ b/reactos/drivers/filesystems/cdfs/fcb.c
@ -558,12 +558,29 @@ CdfsDirFindFile(PDEVICE_EXTENSION DeviceExt,
        DPRINT("RecordLength %u  ExtAttrRecordLength %u  NameLength %u\n",
            Record->RecordLength, Record->ExtAttrRecordLength, Record->FileIdLength);

+        if (Record->RecordLength < Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId))
+        {
+            DPRINT1("Found corrupted entry! %u - %u\n", Record->RecordLength, Record->FileIdLength + FIELD_OFFSET(DIR_RECORD, FileId));
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
        CdfsGetDirEntryName(DeviceExt, Record, Name);
        DPRINT ("Name '%S'\n", Name);
        DPRINT ("Sector %lu\n", DirectoryFcb->Entry.ExtentLocationL);
        DPRINT ("Offset %lu\n", Offset);

        RtlInitUnicodeString(&LongName, Name);
+        /* Was the entry degenerated? */
+        if (LongName.Length < sizeof(WCHAR))
+        {
+            DPRINT1("Found entry with invalid name!\n");
+            RtlFreeUnicodeString(&FileToFindUpcase);
+            CcUnpinData(Context);
+            return STATUS_DISK_CORRUPT_ERROR;
+        }
+
        RtlInitEmptyUnicodeString(&ShortName, ShortNameBuffer, sizeof(ShortNameBuffer));
        RtlZeroMemory(ShortNameBuffer, sizeof(ShortNameBuffer));