ntdll: Don't touch SecurityCookie when the pointer is outside of the image
nerv at dawncrow.de
Tue Jul 21 15:16:59 CDT 2015
Am 21.07.2015 um 21:00 schrieb Michael Müller:
> Am 21.07.2015 um 20:33 schrieb André Hentschel:
>> + if (loadcfg && loadcfg_size >= sizeof(*loadcfg) &&
>> + (ULONG_PTR)ptr > loadcfg->SecurityCookie &&loadcfg->SecurityCookie < (ULONG_PTR)ptr + total_size)
>> set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);
> Your check doesn't take the size of the security cookie into account. If
> the cookie would only be partially inside of the image area, the check
> would still succeed although not all memory is writable.
> The check for the lower limit should be (<= instead of >):
> (ULONG_PTR)ptr <= loadcfg->SecurityCookie
> Is it possible to have an unmapped space between mapped sections?
> According to the NT section header it should be possible, but I am not
> sure if Wine fills this area.
Be free to send a proper patch, you already analyzed more than i wrote ;)
More information about the wine-devel