From 21809d19590d6cff656e2d4ea1afbe61c373eb1f Mon Sep 17 00:00:00 2001
From: chen-jan <chen_aka_jan@163.com>
Date: Thu, 16 Dec 2021 07:09:28 +0000
Subject: [PATCH] fix for invalid shift

---
 Fix-for-invalid-shift-issue-1088.patch | 41 ++++++++++++++++++++++++++
 sleuthkit.spec                         |  6 +++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 Fix-for-invalid-shift-issue-1088.patch

diff --git a/Fix-for-invalid-shift-issue-1088.patch b/Fix-for-invalid-shift-issue-1088.patch
new file mode 100644
index 0000000..d7fb301
--- /dev/null
+++ b/Fix-for-invalid-shift-issue-1088.patch
@@ -0,0 +1,41 @@
+From f279cbffbdb462a85438d648d5d18790c0b2b3a0 Mon Sep 17 00:00:00 2001
+From: esaunders <esaunders@basistech.com>
+Date: Mon, 30 Dec 2019 13:17:30 -0500
+Subject: [PATCH] Fix for invalid shift issue 1088.
+
+---
+ tsk/fs/ntfs.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
+index 93ce4802d..837033ea5 100755
+--- a/tsk/fs/ntfs.c
++++ b/tsk/fs/ntfs.c
+@@ -652,10 +652,22 @@ ntfs_make_data_run(NTFS_INFO * ntfs, TSK_OFF_T start_vcn,
+         if (totlen)
+             *totlen += (data_run->len * ntfs->csize_b);
+ 
+-        /* Get the address of this run */
++        /* Get the address offset of this run.
++         * An address offset of more than eight bytes will not fit in the
++         * 64-bit addr_offset field (and is likely corrupt)
++         */
++        if (NTFS_RUNL_LENSZ(run) > 8) {
++            tsk_error_reset();
++            tsk_error_set_errno(TSK_ERR_FS_INODE_COR);
++            tsk_error_set_errstr
++            ("ntfs_make_run: Run address offset is too large to process");
++            tsk_fs_attr_run_free(*a_data_run_head);
++            *a_data_run_head = NULL;
++            return TSK_COR;
++        }
+         for (i = 0, data_run->addr = 0; i < NTFS_RUNL_OFFSZ(run); i++) {
+             //data_run->addr |= (run->buf[idx++] << (i * 8));
+-            addr_offset |= (run->buf[idx++] << (i * 8));
++            addr_offset |= ((int64_t)(run->buf[idx++]) << (i * 8));
+             if (tsk_verbose)
+                 tsk_fprintf(stderr,
+                     "ntfs_make_data_run: Off idx: %i cur: %"
+-- 
+2.30.0
+
diff --git a/sleuthkit.spec b/sleuthkit.spec
index 4175653..535e7d5 100644
--- a/sleuthkit.spec
+++ b/sleuthkit.spec
@@ -1,6 +1,6 @@
 Name:           sleuthkit
 Version:        4.6.7
-Release:        9
+Release:        10
 Summary:        Tools for file system and volume forensic analysis
 License:        CPL and IBM and GPLv2+
 URL:            http://www.sleuthkit.org
@@ -16,6 +16,7 @@ Patch7:         0007-Fixed-OOB-reads-in-hfs_cat_traverse.patch
 Patch8:         0008-left-shift.patch
 Patch9:         fix-memleak-in-ntfs.patch
 Patch10:        Check-avalable-allocated-space-before-attempting-to.patch
+Patch11:	Fix-for-invalid-shift-issue-1088.patch
 
 BuildRequires:  gcc-c++ afflib-devel >= 3.3.4 libewf-devel perl-generators sqlite-devel
 
@@ -90,6 +91,9 @@ sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 %{_mandir}/man1/*
 
 %changelog
+* Thu Dec 16 2021 chenchen <chen_aka_jan@163.com> - 4.6.7-10
+- fix for invalid shift
+
 * Mon Dec 13 2021 xu_ping <xuping33@huawei.com> - 4.6.7-9
 - Check avalable allocated space before attempting to case to a hfs_btree_key_ext.