Fixing overread when unpacking PE files

A buffer over-read may occur when unpacking wwpack'd PE files if the file is very small. This commit adds a CLI_CONTAINS buffer wrap check to ensure we aren't reading beyond the exe buffer. We determined that this issue is not a vulnerability. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57374
2 years ago · 89cd0df3d7
parent ca6b9beea2
commit 89cd0df3d7
1 changed files with 12 additions and 6 deletions
--- a/libclamav/wwunpack.c
+++ b/libclamav/wwunpack.c
@ -231,19 +231,25 @@ cl_error_t wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_ex
    }

    if (CL_SUCCESS == error) {
-        if (pe + 6 > exesz || pe + 7 > exesz || pe + 0x28 > exesz ||
-            pe + 0x50 > exesz || pe + 0x14 > exesz)
-            return CL_EFORMAT;

        exe[pe + 6] = (uint8_t)scount;
        exe[pe + 7] = (uint8_t)(scount >> 8);
-        if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect + 0x295, 4))
+        
+        if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect + 0x295, 4)) {
+            cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
+            return CL_EFORMAT;
+        }
+        cli_writeint32(&exe[pe + 0x28], cli_readint32(wwsect + 0x295) + sects[scount].rva + 0x299);
+
+        if (!CLI_ISCONTAINED(exe, exesz, exe + pe + 0x50, 4)) {
            cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
-        else
-            cli_writeint32(&exe[pe + 0x28], cli_readint32(wwsect + 0x295) + sects[scount].rva + 0x299);
+            return CL_EFORMAT;
+        }
        cli_writeint32(&exe[pe + 0x50], cli_readint32(&exe[pe + 0x50]) - sects[scount].vsz);

+        // Bounds check not required here, because we know exesz > pe + 0x50 + 4
        structs = &exe[(0xffff & cli_readint32(&exe[pe + 0x14])) + pe + 0x18];
+
        for (i = 0; i < scount; i++) {
            if (!CLI_ISCONTAINED(exe, exesz, structs, 0x28)) {
                cli_dbgmsg("WWPack: structs pointer out of bounds\n");