Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-11-02 09:00:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

bb19798 - fix out of bound memory access for crafted wwunpack file.

Browse source
This commit is contained in:
Steven Morgan 2017-03-03 13:56:28 -05:00
parent 586a518028
commit dfc00cd330
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
libclamav/wwunpack.c
View file

@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
return CL_EFORMAT; return CL_EFORMAT;
exe[pe+6]=(uint8_t)scount; exe[pe+6]=(uint8_t)scount;
exe[pe+7]=(uint8_t)(scount>>8); exe[pe+7]=(uint8_t)(scount>>8);
if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
return CL_EFORMAT;
}
cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299); cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz); cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);