From 9d2cc3ca0a1612a6b271abcacffc2e3eea42925e Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Sat, 17 Mar 2018 08:35:13 +0100
Subject: [PATCH] Applied updates and addition boundary checks for corrupted
 data

---
 configure.ac                  | 14 +++----
 libevt.nuspec                 |  4 +-
 libevt/libevt_libfvalue.h     |  1 +
 libevt/libevt_record_values.c | 35 ++++++++++++++++-
 m4/libcdata.m4                | 44 ++++++++++++++++++++-
 m4/libcsplit.m4               |  4 +-
 m4/libfdata.m4                | 73 ++++++++++++++++++++++++++++++++++-
 runtests.sh                   | 23 ++++++++++-
 8 files changed, 182 insertions(+), 16 deletions(-)

diff --git a/libevt/libevt_libfvalue.h b/libevt/libevt_libfvalue.h
index fb914f4..4dc9a4e 100644
--- a/libevt/libevt_libfvalue.h
+++ b/libevt/libevt_libfvalue.h
@@ -29,6 +29,7 @@
 #if defined( HAVE_LOCAL_LIBFVALUE )
 
 #include <libfvalue_codepage.h>
+#include <libfvalue_data_handle.h>
 #include <libfvalue_definitions.h>
 #include <libfvalue_floating_point.h>
 #include <libfvalue_integer.h>
diff --git a/libevt/libevt_record_values.c b/libevt/libevt_record_values.c
index 879dff2..c8f46a3 100644
--- a/libevt/libevt_record_values.c
+++ b/libevt/libevt_record_values.c
@@ -1157,6 +1157,17 @@ int libevt_record_values_read_event(
 	}
 	if( user_sid_size != 0 )
 	{
+		if( user_sid_size > ( ( record_data_size - 4 ) - user_sid_offset ) )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+			 "%s: user SID data size value out of bounds.",
+			 function );
+
+			goto on_error;
+		}
 		if( libfvalue_value_type_initialize(
 		     &( record_values->user_security_identifier ),
 		     LIBFVALUE_VALUE_TYPE_NT_SECURITY_IDENTIFIER,
@@ -1218,6 +1229,17 @@ int libevt_record_values_read_event(
 	}
 	if( strings_size != 0 )
 	{
+		if( strings_size > ( ( record_data_size - 4 ) - strings_offset ) )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+			 "%s: strings size value out of bounds.",
+			 function );
+
+			goto on_error;
+		}
 #if defined( HAVE_DEBUG_OUTPUT )
 		if( libcnotify_verbose != 0 )
 		{
@@ -1285,6 +1307,17 @@ int libevt_record_values_read_event(
 	}
 	if( data_size != 0 )
 	{
+		if( data_size > ( ( record_data_size - 4 ) - record_data_offset ) )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
+			 "%s: data size value out of bounds.",
+			 function );
+
+			goto on_error;
+		}
 #if defined( HAVE_DEBUG_OUTPUT )
 		if( libcnotify_verbose != 0 )
 		{
@@ -1292,7 +1325,7 @@ int libevt_record_values_read_event(
 			 "%s: data:\n",
 			 function );
 			libcnotify_print_data(
-			 &( record_data[ data_offset ] ),
+			 &( record_data[ record_data_offset ] ),
 			 (size_t) data_size,
 			 LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA );
 		}