ntdll: Don't touch SecurityCookie when the pointer is outside of the image
Michael Müller
michael at fds-team.de
Tue Jul 21 14:00:10 CDT 2015
Am 21.07.2015 um 20:33 schrieb André Hentschel:
> + if (loadcfg && loadcfg_size >= sizeof(*loadcfg) &&
> + (ULONG_PTR)ptr > loadcfg->SecurityCookie &&loadcfg->SecurityCookie < (ULONG_PTR)ptr + total_size)
> set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);
Your check doesn't take the size of the security cookie into account. If
the cookie would only be partially inside of the image area, the check
would still succeed although not all memory is writable.
The check for the lower limit should be (<= instead of >):
(ULONG_PTR)ptr <= loadcfg->SecurityCookie
Is it possible to have an unmapped space between mapped sections?
According to the NT section header it should be possible, but I am not
sure if Wine fills this area.
More information about the wine-devel
mailing list