From 414262f574bc37016d98e348c8fd66ad877f0582 Mon Sep 17 00:00:00 2001
From: Natalia Portillo <claunia@claunia.com>
Date: Tue, 19 Jun 2018 21:35:23 +0100
Subject: [PATCH] Add several out of bounds and null protections against rogue
 MMC firmwares.

---
 DiscImageChef.Decoders/SCSI/Modes/Mode10.cs      | 4 ++++
 DiscImageChef.Devices/Device/ScsiCommands/MMC.cs | 2 ++
 DiscImageChef/Commands/MediaInfo.cs              | 9 ++++++---
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/DiscImageChef.Decoders/SCSI/Modes/Mode10.cs b/DiscImageChef.Decoders/SCSI/Modes/Mode10.cs
index c1dd64c5..8538dc83 100644
--- a/DiscImageChef.Decoders/SCSI/Modes/Mode10.cs
+++ b/DiscImageChef.Decoders/SCSI/Modes/Mode10.cs
@@ -64,6 +64,8 @@ namespace DiscImageChef.Decoders.SCSI
                     header.BlockDescriptors = new BlockDescriptor[blockDescLength / 16];
                     for(int i = 0; i < header.BlockDescriptors.Length; i++)
                     {
+                        if(12 + i * 16 + 8 >= modeResponse.Length) break;
+
                         header.BlockDescriptors[i] = new BlockDescriptor {Density = DensityType.Default};
                         byte[] temp = new byte[8];
                         temp[0] = modeResponse[7 + i * 16 + 8];
@@ -86,6 +88,8 @@ namespace DiscImageChef.Decoders.SCSI
                     header.BlockDescriptors = new BlockDescriptor[blockDescLength / 8];
                     for(int i = 0; i < header.BlockDescriptors.Length; i++)
                     {
+                        if(7 + i * 8 + 8 >= modeResponse.Length) break;
+
                         header.BlockDescriptors[i] = new BlockDescriptor();
                         if(deviceType != PeripheralDeviceTypes.DirectAccess)
                             header.BlockDescriptors[i].Density = (DensityType)modeResponse[0 + i * 8 + 8];
diff --git a/DiscImageChef.Devices/Device/ScsiCommands/MMC.cs b/DiscImageChef.Devices/Device/ScsiCommands/MMC.cs
index 8c51ecc3..af122474 100644
--- a/DiscImageChef.Devices/Device/ScsiCommands/MMC.cs
+++ b/DiscImageChef.Devices/Device/ScsiCommands/MMC.cs
@@ -400,6 +400,8 @@ namespace DiscImageChef.Devices
             Error = LastError != 0;
 
             uint strctLength = (uint)((tmpBuffer[0] << 8) + tmpBuffer[1] + 2);
+            if(strctLength > tmpBuffer.Length) strctLength = (uint)tmpBuffer.Length;
+
             buffer           = new byte[strctLength];
             Array.Copy(tmpBuffer, 0, buffer, 0, buffer.Length);
 
diff --git a/DiscImageChef/Commands/MediaInfo.cs b/DiscImageChef/Commands/MediaInfo.cs
index f42fa7da..ff74c7a6 100644
--- a/DiscImageChef/Commands/MediaInfo.cs
+++ b/DiscImageChef/Commands/MediaInfo.cs
@@ -228,9 +228,12 @@ namespace DiscImageChef.Commands
                 if(decMode.Value.Header.BlockDescriptors != null && decMode.Value.Header.BlockDescriptors.Length >= 1)
                     scsiDensityCode = (byte)decMode.Value.Header.BlockDescriptors[0].Density;
 
-                containsFloppyPage =
-                    decMode.Value.Pages.Aggregate(containsFloppyPage,
-                                                  (current, modePage) => current | (modePage.Page == 0x05));
+                if(decMode.Value.Pages != null)
+                {
+                    containsFloppyPage =
+                        decMode.Value.Pages.Aggregate(containsFloppyPage,
+                                                      (current, modePage) => current | (modePage.Page == 0x05));
+                }
             }
 
             switch(dev.ScsiType)