...
|
...
|
@@ -223,12 +223,22 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
|
223
|
223
|
|
224
|
224
|
structs = &exe[(0xffff&cli_readint32(&exe[pe+0x14]))+pe+0x18];
|
225
|
225
|
for(i=0 ; i<scount ; i++) {
|
|
226
|
+ if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
|
|
227
|
+ cli_dbgmsg("WWPack: structs pointer out of bounds\n");
|
|
228
|
+ return 1;
|
|
229
|
+ }
|
|
230
|
+
|
226
|
231
|
cli_writeint32(structs+8, sects[i].vsz);
|
227
|
232
|
cli_writeint32(structs+12, sects[i].rva);
|
228
|
233
|
cli_writeint32(structs+16, sects[i].vsz);
|
229
|
234
|
cli_writeint32(structs+20, sects[i].rva);
|
230
|
235
|
structs+=0x28;
|
231
|
236
|
}
|
|
237
|
+ if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
|
|
238
|
+ cli_dbgmsg("WWPack: structs pointer out of bounds\n");
|
|
239
|
+ return 1;
|
|
240
|
+ }
|
|
241
|
+
|
232
|
242
|
memset(structs, 0, 0x28);
|
233
|
243
|
error = cli_writen(desc, exe, exesz)!=exesz;
|
234
|
244
|
}
|