From 6e66c12c68c6b35ec6ff037e032979fb1dacbe26 Mon Sep 17 00:00:00 2001 From: Sebastian Lackner Date: Thu, 30 Jul 2015 07:14:23 +0200 Subject: [PATCH] ntdll: Validate SecurityCookie pointer before accessing cookie value. --- dlls/ntdll/virtual.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c index 479ca795e93..2fd8198c0e6 100644 --- a/dlls/ntdll/virtual.c +++ b/dlls/ntdll/virtual.c @@ -1320,9 +1320,11 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz loadcfg = RtlImageDirectoryEntryToData( (HMODULE)ptr, TRUE, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &loadcfg_size ); - if (loadcfg && - loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie)) + if (loadcfg && loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie) && + (ULONG_PTR)ptr <= loadcfg->SecurityCookie && loadcfg->SecurityCookie <= (ULONG_PTR)ptr + total_size - sizeof(ULONG_PTR)) + { set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie); + } /* set the image protections */