Fixed heap corruption in wwunpack.c

12 years ago · 71990820d0
parent 1ed631f9a5
commit 71990820d0
1 changed files with 10 additions and 0 deletions
--- a/libclamav/wwunpack.c
+++ b/libclamav/wwunpack.c
@ -223,12 +223,22 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti

    structs = &exe[(0xffff&cli_readint32(&exe[pe+0x14]))+pe+0x18];
    for(i=0 ; i<scount ; i++) {
+	  if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
+	    cli_dbgmsg("WWPack: structs pointer out of bounds\n");
+	    return 1;
+	  }
+
      cli_writeint32(structs+8, sects[i].vsz);
      cli_writeint32(structs+12, sects[i].rva);
      cli_writeint32(structs+16, sects[i].vsz);
      cli_writeint32(structs+20, sects[i].rva);
      structs+=0x28;
    }
+	if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
+	  cli_dbgmsg("WWPack: structs pointer out of bounds\n");
+	  return 1;
+	}
+
    memset(structs, 0, 0x28);
    error = cli_writen(desc, exe, exesz)!=exesz;
  }