From e84f1d51303606d571c4591ba4ffa4c788ab9371 Mon Sep 17 00:00:00 2001
From: bbingz <zzb@gxsmjx.com>
Date: Thu, 5 Mar 2026 23:28:07 +0800
Subject: [PATCH] fix: fallback key in multi-key mode + bound printf context

- decrypt_images.c: try image_keys.json lookup first, fall back to
  config.json single key when CT pattern not mapped (previously returned
  -5 immediately in multi-key mode)
- find_image_key.c: cap ASCII context printf to remaining buffer length,
  preventing out-of-bounds read near region end
---
 decrypt_images.c | 15 +++++++--------
 find_image_key.c |  6 ++++--
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/decrypt_images.c b/decrypt_images.c
index eeb55fa..3193680 100644
--- a/decrypt_images.c
+++ b/decrypt_images.c
@@ -289,12 +289,10 @@ static int decrypt_v2_file(const char *input_path, const char *output_dir,
     }
     fclose(fin);
 
-    /* If multi-key mode: look up key by CT block 0 */
-    if (!aes_key && aes_ct_size >= 16) {
-        aes_key = find_key_for_ct(aes_ct);
-        if (!aes_key) {
-            free(aes_ct); free(raw_data); free(xor_data); return -5;
-        }
+    /* Try multi-key lookup (image_keys.json) first, then fall back to provided key */
+    if (aes_ct_size >= 16) {
+        const unsigned char *mk = find_key_for_ct(aes_ct);
+        if (mk) aes_key = mk;
     }
     if (!aes_key) { free(aes_ct); free(raw_data); free(xor_data); return -5; }
 
@@ -409,8 +407,9 @@ static void walk_dir(const char *dir, walk_ctx *ctx) {
             if (*rel == '/') rel++;
 
             int xor_detected = -1;
-            /* In multi-key mode, pass NULL as key — decrypt_v2_file looks it up */
-            const unsigned char *key = ctx->multi_key ? NULL : ctx->fallback_key;
+            /* In multi-key mode, pass fallback_key — decrypt_v2_file tries
+             * image_keys.json lookup first, falls back to this key if provided */
+            const unsigned char *key = ctx->fallback_key;
             int ret = decrypt_v2_file(path, ctx->output_dir, rel,
                                        key, ctx->xor_key,
                                        ctx->auto_xor, &xor_detected);
diff --git a/find_image_key.c b/find_image_key.c
index bd8d68e..2fc4b89 100644
--- a/find_image_key.c
+++ b/find_image_key.c
@@ -470,8 +470,10 @@ static int scan_pid(pid_t pid) {
                                         printf("\n  *** FOUND KEY: %s ***\n", kh);
                                         printf("      Pattern: %s (%d files)\n",
                                                ch, patterns[idx].file_count);
-                                        printf("      ASCII context: %.32s\n",
-                                               buf + run_start);
+                                        int ctx_len = data_cnt - run_start;
+                                        if (ctx_len > 32) ctx_len = 32;
+                                        printf("      ASCII context: %.*s\n",
+                                               ctx_len, buf + run_start);
                                         found_this_pid++;
                                         /* Rebuild */
                                         n_unsolved = 0;