Fix for OOB read in APFSJObject::add_entry #2802, #2804

[joachimmetz]

No description provided.

[joachimmetz]

@bcarrier @rcordovano PTAL

[lfcnassif]

Hi @joachimmetz. I'm testing this on some APFS images. For the 2 I've tested until now, it seems to freeze FS transversal at the very beginning, not sure if it is forever or if it became very slow at some point, I canceled the decoding after some dozens of minutes.

[joachimmetz]

any test image you can share? or test case to reproduce as part of https://github.com/dfirlabs/apfs-specimens? The thing is there are no unit tests for TSK and I use its APFS functionality VERY SPORADIC.

[lfcnassif]

Unfortunately they are real case images... I'm not experienced with C code debugging, but If you could point me some tutorial to get some thread dump/stacktrace at the freezing point, I can try to execute the procedure.

[joachimmetz]

one option is to use fls -v (with and without patches) and see where it errors and then use fsapfsinfo with debug info to see what data structures TSK might no longer be fully parsing.

I'm not experienced with C code debugging,

this highly depends on the coding style as well, TSK APFS is C++ heavy with use of templating, so hard to debug (and maintain)