search for: unknown_guid

...t through to the checksum routine, which will read out-of-bounds the first 128 bytes. If you pass in a file truncated at 0x200, you’ll get past the checksum tests but accesses (if any) to other registry header members will be out of bounds. (I don’t think that’s the case, because that’s all unused unknown_guid stuff, though.) After that, offsets are checked against hdr->size; from a brief glance I’m unsure but I think there might be an issue if the file is truncated after a page offset. "off < h->size” will return true, but accesses to page contents will be out-of-bounds. So I think that w...

Hello all, I know that one of the original design goals of libhivex was to be resilient to corrupt, invalid, or malicious registry hives. I've encountered some undefined behavior in libhivex when attempting to open registry files that are too small. I'm not sure if this is a known issue per-se or not, so I figured I'd ask here on the mailing list before I jumped in and started adding

...; routine, which will read out-of-bounds the first 128 bytes. > > If you pass in a file truncated at 0x200, you’ll get past the > checksum tests but accesses (if any) to other registry header > members will be out of bounds. (I don’t think that’s the case, > because that’s all unused unknown_guid stuff, though.) So I believe it's impossible for a hive to be smaller than 8192 bytes, since such a hive couldn't contain the header page and the first data page (containing the root node). Hence the first attached patch simply refuses to open such files. > After that, offsets are che...