Browse code
bb#11213 - Enforce bounds checking
Shawn Webb authored on 2014/12/04 10:53:40Showing 1 changed files
| ... | ... |
@@ -239,7 +239,20 @@ static int pefromupx (const char *src, uint32_t ssize, char *dst, uint32_t *dsiz |
| 239 | 239 |
memcpy(newbuf+0xd0, pehdr,0xf8+0x28*sectcnt); |
| 240 | 240 |
sections = pehdr+0xf8; |
| 241 | 241 |
for (upd = 0; upd <sectcnt ; upd++) {
|
| 242 |
- memcpy(newbuf+cli_readint32(sections+20), dst+cli_readint32(sections+12)-upx0, cli_readint32(sections+16)); |
|
| 242 |
+ int32_t offset1, offset2, offset3; |
|
| 243 |
+ offset1 = cli_readint32(sections+20); |
|
| 244 |
+ offset2 = cli_readint32(sections+16); |
|
| 245 |
+ if (offset1 > foffset || offset2 > foffset || offset1 + offset2 > foffset) {
|
|
| 246 |
+ free(newbuf); |
|
| 247 |
+ return 1; |
|
| 248 |
+ } |
|
| 249 |
+ |
|
| 250 |
+ offset3 = cli_readint32(sections+12); |
|
| 251 |
+ if (offset3-upx0 > *dsize) {
|
|
| 252 |
+ free(newbuf); |
|
| 253 |
+ return 1; |
|
| 254 |
+ } |
|
| 255 |
+ memcpy(newbuf+offset1, dst+offset3-upx0, offset2); |
|
| 243 | 256 |
sections+=0x28; |
| 244 | 257 |
} |
| 245 | 258 |
|