PhotoRec: add boundary checking for gz, jpg and pdf

3 files changed, 21 insertions, 16 deletions

diff --git a/src/file_gz.c b/src/file_gz.c
index 46fa5730..a4155f36 100644
--- a/src/file_gz.c
+++ b/src/file_gz.c
@@ -96,11 +96,11 @@ static int header_check_gz(const unsigned char *buffer, const unsigned int buffe
     }
     if((flags&GZ_FNAME)!=0)
     {
-      while(buffer[off++]!='\0');
+      while(off<buffer_size && buffer[off++]!='\0');
     }
     if((flags&GZ_FCOMMENT)!=0)
     {
-      while(buffer[off++]!='\0');
+      while(off<buffer_size && buffer[off++]!='\0');
     }
     if((flags&GZ_FHCRC)!=0)
     {
@@ -130,7 +130,11 @@ static int header_check_gz(const unsigned char *buffer, const unsigned int buffe
 	err = inflate(&d_stream, Z_NO_FLUSH);
 	if (err == Z_STREAM_END) break;
 	if(err!=Z_OK)
+	{
+	  /* Decompression has failed, free ressources */
+	  inflateEnd(&d_stream);
 	  return 0;
+	}
       }
       err = inflateEnd(&d_stream);
       if(err!=Z_OK)
diff --git a/src/file_jpg.c b/src/file_jpg.c
index 7c928f2a..70f130c9 100644
--- a/src/file_jpg.c
+++ b/src/file_jpg.c
@@ -84,7 +84,7 @@ static int header_check_jpg(const unsigned char *buffer, const unsigned int buff
     file_recovery_new->extension=file_hint_jpg.extension;
     file_recovery_new->data_check=NULL;
     file_recovery_new->file_check=&file_check_jpg;
-    do
+    while(i<6*512 && i+4<buffer_size)
     {
       if(buffer[i]==0xff && buffer[i+1]==0xe0)
       { /* APP0 */
@@ -110,7 +110,7 @@ static int header_check_jpg(const unsigned char *buffer, const unsigned int buff
 	file_recovery_new->min_filesize=288;
 	return 1;
       }
-    } while(i<6*512 && i<buffer_size);
+    }
     file_recovery_new->min_filesize=i;
     return 1;
   }
diff --git a/src/file_pdf.c b/src/file_pdf.c
index 90d7d56c..ef828aee 100644
--- a/src/file_pdf.c
+++ b/src/file_pdf.c
@@ -59,33 +59,34 @@ static int header_check_pdf(const unsigned char *buffer, const unsigned int buff
   {
     const unsigned char sig_illustrator[11]={'I','l','l','u','s','t','r','a','t','o','r'};
     const unsigned char sig_linearized[10]={'L','i','n','e','a','r','i','z','e','d'};
-    const unsigned char *linearized;
+    const unsigned char *src;
     reset_file_recovery(file_recovery_new);
     if(td_memmem(buffer, 512, sig_illustrator,sizeof(sig_illustrator)) != NULL)
       file_recovery_new->extension="ai";
     else
       file_recovery_new->extension=file_hint_pdf.extension;
-    if((linearized=(const unsigned char *)td_memmem(buffer, 512, sig_linearized, sizeof(sig_linearized))) != NULL)
+    if((src=(const unsigned char *)td_memmem(buffer, 512, sig_linearized, sizeof(sig_linearized))) != NULL)
     {
-      linearized+=sizeof(sig_linearized);
-      while(*linearized!='>' && linearized<=buffer+512)
+      src+=sizeof(sig_linearized);
+      for(; src<=buffer+512 && *src!='>'; src++)
       {
-	if(*linearized=='/' && *(linearized+1)=='L')
+	if(*src=='/' && *(src+1)=='L')
 	{
-	  linearized+=2;
-	  while(*linearized==' ' || *linearized=='\t' || *linearized=='\n' || *linearized=='\r')
-	    linearized++;
+	  src+=2;
+	  while(src<buffer+512 &&
+	      (*src==' ' || *src=='\t' || *src=='\n' || *src=='\r'))
+	    src++;
 	  file_recovery_new->calculated_file_size=0;
-	  while(*linearized>='0' && *linearized<='9' && linearized<=buffer+512)
+	  while(src<buffer+512 &&
+	      *src>='0' && *src<='9')
 	  {
-	    file_recovery_new->calculated_file_size=file_recovery_new->calculated_file_size*10+(*linearized)-'0';
-	    linearized++;
+	    file_recovery_new->calculated_file_size=file_recovery_new->calculated_file_size*10+(*src)-'0';
+	    src++;
 	  }
 	  file_recovery_new->data_check=&data_check_size;
 	  file_recovery_new->file_check=&file_check_pdf_and_size;
 	  return 1;
 	}
-	linearized++;
       }
     }
     file_recovery_new->file_check=&file_check_pdf;