Browse code

Fixed heap corruption in wwunpack.c

Ryan Pentney authored on 2013/02/15 20:10:50
Showing 1 changed files
... ...
@@ -223,12 +223,22 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
223 223
 
224 224
     structs = &exe[(0xffff&cli_readint32(&exe[pe+0x14]))+pe+0x18];
225 225
     for(i=0 ; i<scount ; i++) {
226
+	  if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
227
+	    cli_dbgmsg("WWPack: structs pointer out of bounds\n");
228
+	    return 1;
229
+	  }
230
+
226 231
       cli_writeint32(structs+8, sects[i].vsz);
227 232
       cli_writeint32(structs+12, sects[i].rva);
228 233
       cli_writeint32(structs+16, sects[i].vsz);
229 234
       cli_writeint32(structs+20, sects[i].rva);
230 235
       structs+=0x28;
231 236
     }
237
+	if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
238
+	  cli_dbgmsg("WWPack: structs pointer out of bounds\n");
239
+	  return 1;
240
+	}
241
+
232 242
     memset(structs, 0, 0x28);
233 243
     error = cli_writen(desc, exe, exesz)!=exesz;
234 244
   }