... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Thu Jun 9 08:22:31 CEST 2011 (acab) |
|
2 |
+------------------------------------ |
|
3 |
+ * libclamav/mew.c: harden boundary check on e8/e9 fixup |
|
4 |
+ |
|
1 | 5 |
Wed Jun 8 14:57:40 CEST 2011 (acab) |
2 | 6 |
------------------------------------ |
3 | 7 |
* libclamav/nsis, libclamav/chmunpack.[ch], libclamav/scanners.c: |
... | ... |
@@ -656,26 +656,24 @@ int mew_lzma(char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32 |
656 | 656 |
new_eax = var08; |
657 | 657 |
} while (new_eax < var28); |
658 | 658 |
|
659 |
- if (special) { |
|
659 |
+ while(special) { |
|
660 | 660 |
uint32_t loc_ecx; |
661 | 661 |
/* let's fix calls */ |
662 |
- loc_ecx = 0; |
|
663 | 662 |
cli_dbgmsg("MEWlen: %08x ? %08x\n", new_edx, pushed_edx); |
664 | 663 |
|
665 |
- if (!CLI_ISCONTAINED(orgsource, size_sum, pushed_esi, pushed_edx)) |
|
666 |
- return -1; |
|
667 |
- do { |
|
664 |
+ if (pushed_edx < 5 || !CLI_ISCONTAINED(orgsource, size_sum, pushed_esi, pushed_edx)) |
|
665 |
+ return 0; /* No point in full failing just because we can't fixxup the calls */ |
|
666 |
+ |
|
667 |
+ for(loc_ecx = 0; loc_ecx < pushed_edx - 5; loc_ecx++) { |
|
668 | 668 |
/* 0xe8, 0xe9 call opcodes */ |
669 | 669 |
if (pushed_esi[loc_ecx] == '\xe8' || pushed_esi[loc_ecx] == '\xe9') |
670 | 670 |
{ |
671 | 671 |
char *adr = (char *)(pushed_esi + loc_ecx + 1); |
672 |
- loc_ecx++; |
|
673 |
- |
|
674 |
- cli_writeint32(adr, EC32(CE32((uint32_t)cli_readint32(adr)))-loc_ecx); |
|
672 |
+ |
|
673 |
+ cli_writeint32(adr, EC32(CE32((uint32_t)cli_readint32(adr)))-loc_ecx-1); |
|
675 | 674 |
loc_ecx += 4; |
676 |
- } else |
|
677 |
- loc_ecx++; |
|
678 |
- } while (loc_ecx != pushed_edx); |
|
675 |
+ } |
|
676 |
+ } |
|
679 | 677 |
return 0; /*pushed_edx;*/ |
680 | 678 |
} |
681 | 679 |
} while (mainloop); |