dbghelp: Protect PE's COFF table reading against bogus values in NTHEADER.
This commit is contained in:
Eric Pouech
Alexandre Julliard
parent
df710826e1
commit
516fc78a2b
|
|
@ -171,6 +171,25 @@ unsigned pe_get_map_size(const struct image_section_map* ism)
|
||||||
return ism->fmap->u.pe.sect[ism->sidx].shdr.SizeOfRawData;
|
return ism->fmap->u.pe.sect[ism->sidx].shdr.SizeOfRawData;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/******************************************************************
|
||||||
|
* pe_is_valid_pointer_table
|
||||||
|
*
|
||||||
|
* Checks whether the PointerToSymbolTable and NumberOfSymbols in file_header contain
|
||||||
|
* valid information.
|
||||||
|
*/
|
||||||
|
static BOOL pe_is_valid_pointer_table(const IMAGE_NT_HEADERS* nthdr, const void* mapping)
|
||||||
|
{
|
||||||
|
DWORD64 offset;
|
||||||
|
|
||||||
|
/* is the iSym table inside file image ? */
|
||||||
|
offset = (DWORD64)nthdr->FileHeader.PointerToSymbolTable;
|
||||||
|
offset += (DWORD64)nthdr->FileHeader.NumberOfSymbols * sizeof(IMAGE_SYMBOL);
|
||||||
|
if (offset > (DWORD64)nthdr->OptionalHeader.SizeOfImage) return FALSE;
|
||||||
|
/* is string table (following iSym table) inside file image ? */
|
||||||
|
offset += *(DWORD*)((const char*)mapping + offset);
|
||||||
|
return offset <= (DWORD64)nthdr->OptionalHeader.SizeOfImage;
|
||||||
|
}
|
||||||
|
|
||||||
/******************************************************************
|
/******************************************************************
|
||||||
* pe_map_file
|
* pe_map_file
|
||||||
*
|
*
|
||||||
|
|
@ -209,16 +228,26 @@ static BOOL pe_map_file(HANDLE file, struct image_file_map* fmap, enum module_ty
|
||||||
}
|
}
|
||||||
if (nthdr->FileHeader.PointerToSymbolTable && nthdr->FileHeader.NumberOfSymbols)
|
if (nthdr->FileHeader.PointerToSymbolTable && nthdr->FileHeader.NumberOfSymbols)
|
||||||
{
|
{
|
||||||
/* FIXME ugly: should rather map the relevant content instead of copying it */
|
if (pe_is_valid_pointer_table(nthdr, mapping))
|
||||||
const char* src = (const char*)mapping +
|
{
|
||||||
nthdr->FileHeader.PointerToSymbolTable +
|
/* FIXME ugly: should rather map the relevant content instead of copying it */
|
||||||
nthdr->FileHeader.NumberOfSymbols * sizeof(IMAGE_SYMBOL);
|
const char* src = (const char*)mapping +
|
||||||
char* dst;
|
nthdr->FileHeader.PointerToSymbolTable +
|
||||||
DWORD sz = *(DWORD*)src;
|
nthdr->FileHeader.NumberOfSymbols * sizeof(IMAGE_SYMBOL);
|
||||||
|
char* dst;
|
||||||
|
DWORD sz = *(DWORD*)src;
|
||||||
|
|
||||||
if ((dst = HeapAlloc(GetProcessHeap(), 0, sz)))
|
if ((dst = HeapAlloc(GetProcessHeap(), 0, sz)))
|
||||||
memcpy(dst, src, sz);
|
memcpy(dst, src, sz);
|
||||||
fmap->u.pe.strtable = dst;
|
fmap->u.pe.strtable = dst;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* we have bad information here, wipe it out */
|
||||||
|
fmap->u.pe.ntheader.FileHeader.PointerToSymbolTable = 0;
|
||||||
|
fmap->u.pe.ntheader.FileHeader.NumberOfSymbols = 0;
|
||||||
|
fmap->u.pe.strtable = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else fmap->u.pe.strtable = NULL;
|
else fmap->u.pe.strtable = NULL;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue