hivex_value_multiple_strings: Don't read uninitialized data.

If hivex_value_multiple_strings was given a value which had an odd
length or if the data in the value was unterminated,
hivex_value_multiple_strings could read uninitialized data.

Potentially (although very unlikely) this could cause a
non-exploitable segfault in the calling program.

diff --git a/lib/hivex.c b/lib/hivex.c
index 71ea5c3..d2ab23d 100644 (file)
--- a/lib/hivex.c
+++ b/lib/hivex.c
@@ -1421,7 +1421,8 @@ hivex_value_multiple_strings (hive_h *h, hive_value_h value)
   char *p = data;
   size_t plen;
 
-  while (p < data + len && (plen = utf16_string_len_in_bytes (p)) > 0) {
+  while (p < data + len &&
+         (plen = utf16_string_len_in_bytes_max (p, data + len - p)) > 0) {
     nr_strings++;
     char **ret2 = realloc (ret, (1 + nr_strings) * sizeof (char *));
     if (ret2 == NULL) {