PATCH: fixed buffer overflow on bad .exes
Marcus Meissner
marcus at jet.franken.de
Mon Oct 31 10:38:19 CST 2005
Hi,
This problem is exhibited by "UPack", an exe compressor.
http://bugs.winehq.org/show_bug.cgi?id=3702
We should definitely not overflow the buffer.
Ciao, Marcus
Changelog:
Do not overflow the stackbased "nt" struct when reading
non-conforming PE files.
Index: server/mapping.c
===================================================================
RCS file: /home/wine/wine/server/mapping.c,v
retrieving revision 1.58
diff -u -r1.58 mapping.c
--- server/mapping.c 29 Oct 2005 12:38:23 -0000 1.58
+++ server/mapping.c 31 Oct 2005 16:34:22 -0000
@@ -206,7 +206,7 @@
IMAGE_SECTION_HEADER *sec = NULL;
struct fd *fd;
off_t pos;
- int unix_fd, size;
+ int unix_fd, size, toread;
/* load the headers */
@@ -225,8 +225,12 @@
pos += sizeof(nt.FileHeader);
/* zero out Optional header in the case it's not present or partial */
memset(&nt.OptionalHeader, 0, sizeof(nt.OptionalHeader));
- if (pread( unix_fd, &nt.OptionalHeader, nt.FileHeader.SizeOfOptionalHeader,
- pos ) != nt.FileHeader.SizeOfOptionalHeader) goto error;
+
+ toread = nt.FileHeader.SizeOfOptionalHeader;
+ if (toread > sizeof(nt.OptionalHeader))
+ toread = sizeof(nt.OptionalHeader);
+ if (pread( unix_fd, &nt.OptionalHeader, toread, pos ) != toread)
+ goto error;
pos += nt.FileHeader.SizeOfOptionalHeader;
/* load the section headers */
More information about the wine-patches
mailing list