From 05f1becfe652037937d86bb6d0c3619c98bcc8c6 Mon Sep 17 00:00:00 2001 From: Nikolaj Schlej Date: Tue, 8 Oct 2013 18:59:09 +0200 Subject: [PATCH] Version 0.2.1 Added checks for files with invalid size --- basetypes.h | 1 + ffs.cpp | 10 +++++-- uefitool.cpp | 73 ++++++++++++++++++---------------------------------- uefitool.pro | 65 +++++++++++++++++++++++----------------------- uefitool.ui | 2 +- 5 files changed, 67 insertions(+), 84 deletions(-) diff --git a/basetypes.h b/basetypes.h index cb11504..027427c 100644 --- a/basetypes.h +++ b/basetypes.h @@ -70,6 +70,7 @@ typedef uint16_t CHAR16; #define ERR_INVALID_VOLUME 11 #define ERR_VOLUME_REVISION_NOT_SUPPORTED 12 #define ERR_UNKNOWN_FFS 13 +#define ERR_INVALID_FILE 14 // EFI GUID diff --git a/ffs.cpp b/ffs.cpp index c76a8d8..38f2edc 100644 --- a/ffs.cpp +++ b/ffs.cpp @@ -17,7 +17,10 @@ const UINT8 ffsAlignmentTable[] = UINT8 calculateChecksum8(UINT8* buffer, UINT32 bufferSize) { - UINT8 counter = 0; + if(!buffer) + return 0; + + UINT8 counter = 0; while(bufferSize--) counter += buffer[bufferSize]; return ~counter + 1; @@ -25,7 +28,10 @@ UINT8 calculateChecksum8(UINT8* buffer, UINT32 bufferSize) UINT16 calculateChecksum16(UINT8* buffer, UINT32 bufferSize) { - UINT16 counter = 0; + if(!buffer) + return 0; + + UINT16 counter = 0; while(bufferSize--) counter += buffer[bufferSize]; return ~counter + 1; diff --git a/uefitool.cpp b/uefitool.cpp index f751073..18b2de1 100644 --- a/uefitool.cpp +++ b/uefitool.cpp @@ -561,6 +561,13 @@ UINT8 UEFITool::parseVolume(const QByteArray & volume, UINT32 volumeBase, UINT8 QByteArray file = volume.mid(fileIndex, uint24ToUint32(fileHeader->Size)); QByteArray header = file.left(sizeof(EFI_FFS_FILE_HEADER)); + // Check file size to at least sizeof(EFI_FFS_FILE_HEADER) + if (file.size() < sizeof(EFI_FFS_FILE_HEADER)) + { + debug(tr("File with invalid size")); + return ERR_INVALID_FILE; + } + // We are at empty space in the end of volume if (header.count(empty) == header.size()) { QByteArray body = volume.right(volume.size() - fileIndex); @@ -736,7 +743,6 @@ UINT8 UEFITool::parseFile(const QByteArray & file, UINT8 revision, bool erasePol UINT32 dataSize; QModelIndex index; UINT32 result; - bool lzmaHeaderFound; switch (sectionHeader->Type) { @@ -796,55 +802,26 @@ UINT8 UEFITool::parseFile(const QByteArray & file, UINT8 revision, bool erasePol if (LzmaGetInfo(data, dataSize, &decompressedSize) != ERR_SUCCESS || decompressedSize != compressedSectionHeader->UncompressedLength) { - // Shitty file with some data between COMPRESSED_SECTION_HEADER and LZMA_HEADER - // Search for LZMA header in body - // Header structure: UINT8 LzmaProperties | UINT32 DictionarySize | UINT64 DecompressedSize - // We can't determine first two fiels here, but Decompressed size is known, so search for it - INT32 lzmaHeaderIndex = body.indexOf(QByteArray((const char*)&compressedSectionHeader->UncompressedLength, - sizeof(compressedSectionHeader->UncompressedLength)).append('\x00').append('\x00').append('\x00').append('\x00')); - lzmaHeaderIndex -= LZMA_PROPS_SIZE; - // LZMA header not found - if (lzmaHeaderIndex < 0) - { - lzmaHeaderFound = false; - debug(tr("Lzma header not found")); - } - // LZMA header found - else if (lzmaHeaderIndex) { - data = (VOID*) (file.constData() + sectionIndex + sizeof(EFI_COMPRESSION_SECTION) + lzmaHeaderIndex); - dataSize = uint24ToUint32(sectionHeader->Size) - sizeof(EFI_COMPRESSION_SECTION) - lzmaHeaderIndex; - // Get buffer sizes again - if (LzmaGetInfo(data, dataSize, &decompressedSize) != ERR_SUCCESS - || decompressedSize != compressedSectionHeader->UncompressedLength) - { - debug(tr("LzmaGetInfo failed on LZMA header")); - lzmaHeaderFound = false; - } - else - debug(tr("Padding of size %1 between CompressedSectionHeader and LzmaHeader") - .arg(lzmaHeaderIndex)); - } - lzmaHeaderFound = true; + // Shitty file with a section header between COMPRESSED_SECTION_HEADER and LZMA_HEADER + data = (VOID*) (file.constData() + sectionIndex + sizeof(EFI_COMPRESSION_SECTION) + sizeof(EFI_COMMON_SECTION_HEADER)); + dataSize = uint24ToUint32(sectionHeader->Size) - sizeof(EFI_COMPRESSION_SECTION) - sizeof(EFI_COMMON_SECTION_HEADER); + if (LzmaGetInfo(data, dataSize, &decompressedSize) != ERR_SUCCESS) + debug(tr("LzmaGetInfo failed")); } - else - lzmaHeaderFound = true; - // Decompress if header is found - if (lzmaHeaderFound) { - decompressed = new UINT8[decompressedSize]; - // Decompress section data - if (LzmaDecompress(data, dataSize, decompressed) != ERR_SUCCESS) - debug(tr("LzmaDecompress failed")); - else - { - body = QByteArray::fromRawData((const char*) decompressed, decompressedSize); - // Parse stored file - result = parseFile(body, revision, erasePolarity, index); - if (result) - debug(tr("Compressed section with LZMA compression can not be parsed as file (%1)").arg(result)); - } + decompressed = new UINT8[decompressedSize]; + // Decompress section data + if (LzmaDecompress(data, dataSize, decompressed) != ERR_SUCCESS) + debug(tr("LzmaDecompress failed")); + else + { + body = QByteArray::fromRawData((const char*) decompressed, decompressedSize); + // Parse stored file + result = parseFile(body, revision, erasePolarity, index); + if (result) + debug(tr("Compressed section with LZMA compression can not be parsed as file (%1)").arg(result)); + } - delete[] decompressed; - } + delete[] decompressed; break; default: body = file.mid(sectionIndex + sizeof(EFI_COMPRESSION_SECTION), sectionSize - sizeof(EFI_COMPRESSION_SECTION)); diff --git a/uefitool.pro b/uefitool.pro index 2a3be6b..7a60b4b 100644 --- a/uefitool.pro +++ b/uefitool.pro @@ -1,34 +1,33 @@ -QT += core gui -greaterThan(QT_MAJOR_VERSION, 4): QT += widgets - -TARGET = UEFITool -TEMPLATE = app - -SOURCES += main.cpp \ - uefitool.cpp \ - descriptor.cpp \ - ffs.cpp \ - treeitem.cpp \ - treemodel.cpp \ - LZMA/LzmaCompress.c \ - LZMA/LzmaDecompress.c \ - LZMA/Sdk/C/LzFind.c \ - LZMA/Sdk/C/LzmaDec.c \ - LZMA/Sdk/C/LzmaEnc.c \ - Tiano/EfiTianoDecompress.c \ - Tiano/EfiCompress.c \ - Tiano/TianoCompress.c -HEADERS += uefitool.h \ - basetypes.h \ - descriptor.h \ - ffs.h \ - treeitem.h \ - treemodel.h \ - LZMA/LzmaCompress.h \ - LZMA/LzmaDecompress.h \ - Tiano/EfiTianoDecompress.h \ - Tiano/EfiTianoCompress.h -FORMS += uefitool.ui -RC_FILE = uefitool.rc +QT += core gui +greaterThan(QT_MAJOR_VERSION, 4): QT += widgets - ICON = uefitool.icns \ No newline at end of file +TARGET = UEFITool +TEMPLATE = app + +SOURCES += main.cpp \ + uefitool.cpp \ + descriptor.cpp \ + ffs.cpp \ + treeitem.cpp \ + treemodel.cpp \ + LZMA/LzmaCompress.c \ + LZMA/LzmaDecompress.c \ + LZMA/Sdk/C/LzFind.c \ + LZMA/Sdk/C/LzmaDec.c \ + LZMA/Sdk/C/LzmaEnc.c \ + Tiano/EfiTianoDecompress.c \ + Tiano/EfiCompress.c \ + Tiano/TianoCompress.c +HEADERS += uefitool.h \ + basetypes.h \ + descriptor.h \ + ffs.h \ + treeitem.h \ + treemodel.h \ + LZMA/LzmaCompress.h \ + LZMA/LzmaDecompress.h \ + Tiano/EfiTianoDecompress.h \ + Tiano/EfiTianoCompress.h +FORMS += uefitool.ui +RC_FILE = uefitool.rc +ICON = uefitool.icns \ No newline at end of file diff --git a/uefitool.ui b/uefitool.ui index 5a4007c..4343608 100644 --- a/uefitool.ui +++ b/uefitool.ui @@ -20,7 +20,7 @@ true - UEFITool 0.2.0 + UEFITool 0.2.1