Extended VBLKs (those larger than the preset VBLK size) are divided
into fragments, each with its own VBLK header. Our LDM implementation
generally assumes that each VBLK is contiguous in memory, so these
fragments must be assembled before further processing.
Currently the reassembly seems to be done quite wrongly - no VBLK
header is copied into the contiguous buffer, and the length of the
header is subtracted twice from each fragment. Also the total
length of the reassembled VBLK is calculated incorrectly.
Signed-off-by: Ben Hutchings <[hidden email]>
This is purely based on a little code review after seeing the patch for
CVE-2011-1017, and a quick look at the reverse-engineered documentation
of LDM. I have no test case for it, but I suspect that you can force
Windows to create an extended VBLK by giving a partition a very long