[Bug 50075] New: GetFileVersionInfoSizeW can read from unallocated memory

[WineHQ Bugzilla]

https://bugs.winehq.org/show_bug.cgi?id=50075

            Bug ID: 50075
           Summary: GetFileVersionInfoSizeW can read from unallocated
                    memory
           Product: Wine
           Version: 5.20
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: version
          Assignee: wine-bugs at winehq.org
          Reporter: ahiler at codeweavers.com
      Distribution: ---

Original bug: https://github.com/ValveSoftware/Proton/issues/4308

Crown Trick (game) comes with Assembly-CSharp.dll (generated by Unity engine)
that is most likely just encrypted[0] or straight up corrupted. The game calls
GetFileVersionInfoSizeW() on that .dll during which it crashes.

Wine's GetFileVersionInfoSizeW() checks the PE header for RVA and size of
Resource Table.

Then HeapAllocs(size) happens and data is read into it the allocated memory.

After that, when looking for the version entry, find_entry_by_id() naively
trusts NumberOfNamedEntries and NumberOfIdEntries residing in the resource
table, which in the encrypted/corrupted form add up to 20k+ entries. This
results in an attempt to dereference something way past the size of Resource
Table (0x400) and causes a page fault.

I have a tentative patch (will send it soon, after a bit more testing) that
makes sure we are not trying to read entries past the allocated area. With this
the game starts and works just fine.

[0]: https://github.com/yangyuan/hearthrock/issues/13

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.