Alexandre Julliard : ntdll: Round header size to page boundary before checking it in PE header conversion.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: 96eebec967ebdef720f4f4d7adbc3ea8e19264a0
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=96eebec967ebdef720f4f4d7adbc3ea8e19264a0

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Fri Jan 25 12:46:37 2019 +0100

ntdll: Round header size to page boundary before checking it in PE header conversion.

Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/ntdll/loader.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
index 631e8bd..ecc09d3 100644
--- a/dlls/ntdll/loader.c
+++ b/dlls/ntdll/loader.c
@@ -1935,16 +1935,21 @@ static BOOL convert_to_pe64( HMODULE module, const pe_image_info_t *info )
     IMAGE_NT_HEADERS *nt = RtlImageNtHeader( module );
     SIZE_T hdr_size = min( sizeof(hdr32), nt->FileHeader.SizeOfOptionalHeader );
     IMAGE_SECTION_HEADER *sec = (IMAGE_SECTION_HEADER *)((char *)&nt->OptionalHeader + hdr_size);
-    SIZE_T size = (char *)(nt + 1) + nt->FileHeader.NumberOfSections * sizeof(*sec) - (char *)module;
+    SIZE_T size = info->header_size;
     void *addr = module;
     ULONG i, old_prot;
 
     TRACE( "%p\n", module );
 
-    if (size > info->header_size) return FALSE;
     if (NtProtectVirtualMemory( NtCurrentProcess(), &addr, &size, PAGE_READWRITE, &old_prot ))
         return FALSE;
 
+    if ((char *)module + size < (char *)(nt + 1) + nt->FileHeader.NumberOfSections * sizeof(*sec))
+    {
+        NtProtectVirtualMemory( NtCurrentProcess(), &addr, &size, old_prot, &old_prot );
+        return FALSE;
+    }
+
     memcpy( &hdr32, &nt->OptionalHeader, hdr_size );
     memcpy( &hdr64, &hdr32, offsetof( IMAGE_OPTIONAL_HEADER64, SizeOfStackReserve ));
     hdr64.Magic               = IMAGE_NT_OPTIONAL_HDR64_MAGIC;