[Libguestfs] [hivex PATCH 4/5] hivex_value_multiple_strings: Don't read uninitialized data.

[Richard W.M. Jones]

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
-------------- next part --------------
>From 53056244696385299fe0d298bd25053dd7c07dc0 Mon Sep 17 00:00:00 2001
From: Richard W.M. Jones <rjones at redhat.com>
Date: Wed, 13 Apr 2011 14:01:03 +0100
Subject: [PATCH 4/5] hivex_value_multiple_strings: Don't read uninitialized data.

If hivex_value_multiple_strings was given a value which had an odd
length or if the data in the value was unterminated,
hivex_value_multiple_strings could read uninitialized data.

Potentially (although very unlikely) this could cause a
non-exploitable segfault in the calling program.
---
 lib/hivex.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/lib/hivex.c b/lib/hivex.c
index 71ea5c3..d2ab23d 100644
--- a/lib/hivex.c
+++ b/lib/hivex.c
@@ -1421,7 +1421,8 @@ hivex_value_multiple_strings (hive_h *h, hive_value_h value)
   char *p = data;
   size_t plen;
 
-  while (p < data + len && (plen = utf16_string_len_in_bytes (p)) > 0) {
+  while (p < data + len &&
+         (plen = utf16_string_len_in_bytes_max (p, data + len - p)) > 0) {
     nr_strings++;
     char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *));
     if (ret2 == NULL) {
-- 
1.7.4.1