Browse code
bb#11212 - alternate fix in MEW unpacker
Kevin Lin authored on 2015/02/19 08:23:54Showing 1 changed files
| ... | ... |
@@ -848,6 +848,18 @@ int unmew11(char *src, int off, int ssize, int dsize, uint32_t base, uint32_t va |
| 848 | 848 |
section[i+1].raw = val; |
| 849 | 849 |
section[i+1].rva = val + vadd; |
| 850 | 850 |
section[i].rsz = section[i].vsz = ((i)?(val - section[i].raw):val); |
| 851 |
+ |
|
| 852 |
+ /* |
|
| 853 |
+ * bb#11212 - alternate fix, buffer is aligned |
|
| 854 |
+ * must validate that sections do not intersect with source |
|
| 855 |
+ * or, in other words, exceed the specified size of destination |
|
| 856 |
+ */ |
|
| 857 |
+ if (section[i].raw + section[i].rsz > dsize) {
|
|
| 858 |
+ cli_dbgmsg("MEW: Section %i [%d, %d] exceeds destination size %d\n",
|
|
| 859 |
+ i, section[i].raw, section[i].raw+section[i].rsz, dsize); |
|
| 860 |
+ free(section); |
|
| 861 |
+ return -1; |
|
| 862 |
+ } |
|
| 851 | 863 |
} |
| 852 | 864 |
i++; |
| 853 | 865 |
|