From d53862310f37c10a77b9d891564a4a3051a695b8 Mon Sep 17 00:00:00 2001 From: Daniel Roethlisberger Date: Sat, 3 May 2025 14:00:57 +0200 Subject: [PATCH] Avoid reading header fields outside of the bounds of the header Use mappingOffset as an upper bound for the header size, and avoid reading any header fields from beyond that offset. --- view/sharedcache/core/SharedCacheView.cpp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/view/sharedcache/core/SharedCacheView.cpp b/view/sharedcache/core/SharedCacheView.cpp index 77f6e63392..52b6417312 100644 --- a/view/sharedcache/core/SharedCacheView.cpp +++ b/view/sharedcache/core/SharedCacheView.cpp @@ -175,9 +175,6 @@ bool SharedCacheView::Init() m_logger = new Logger("SharedCache.View", GetFile()->GetSessionId()); - uint32_t platform; - // NOTE: This entry only exists on ios 11 and later, older versions will just assume iOS. - GetParentView()->Read(&platform, 0xd8, 4); char magic[17]; GetParentView()->Read(&magic, 0, 16); magic[16] = 0; @@ -197,6 +194,19 @@ bool SharedCacheView::Init() return false; } + // Use the value of mappingOffset as an upper bound for the size of the + // header to avoid misinterpreting bytes outside of the header. + uint32_t mappingOffset; + GetParentView()->Read(&mappingOffset, 0x10, 4); + + uint32_t platform; + if (mappingOffset >= 0xd8 + 4) { + GetParentView()->Read(&platform, 0xd8, 4); + } else { + m_logger->LogWarn("Old header without platform field: Defaulting to iOS"); + platform = DSCPlatformiOS; + } + // TODO: Do we want to add any warnings about platform support here? // TODO: Do we still consider macos experimental? switch (platform)