windows: Check for SizeOfOptionalHeader before dereferencing OptionalHeader

author Pali Rohár <pali@kernel.org>

Wed, 4 Dec 2024 17:20:18 +0000 (18:20 +0100)

committer Martin Mares <mj@ucw.cz>

Sun, 8 Jun 2025 15:19:58 +0000 (17:19 +0200)
author Pali Rohár <pali@kernel.org>
Wed, 4 Dec 2024 17:20:18 +0000 (18:20 +0100)
committer Martin Mares <mj@ucw.cz>
Sun, 8 Jun 2025 15:19:58 +0000 (17:19 +0200)
diff --git a/lib/physmem-windows.c b/lib/physmem-windows.c

index b220a781b4d91a7617a92d3d5557424fbe3ea0f6..f2e12649a34bf6c0d61390d3003721b193ecb7ef 100644 (file)
--- a/lib/physmem-windows.c
+++ b/lib/physmem-windows.c
@@ -428,6 +428,9 @@ win32_get_proc_address_by_ordinal(HMODULE module, DWORD ordinal, BOOL must_be_wi
    if (nt_header->Signature != IMAGE_NT_SIGNATURE)
      return NULL;
  
+  if (nt_header->FileHeader.SizeOfOptionalHeader < offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory))
+    return NULL;
+
    if (nt_header->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
      return NULL;
  
diff --git a/lib/win32-kldbg.c b/lib/win32-kldbg.c

index 22078f564f67a66a865ba89ac47f5e917f7d69b4..69e0fb51a4715b7d86d64bfe64e7171ea3da86a2 100644 (file)
--- a/lib/win32-kldbg.c
+++ b/lib/win32-kldbg.c
@@ -155,6 +155,10 @@ win32_check_driver(BYTE *driver_data)
      return FALSE;
  #endif
  
+  /* IMAGE_OPTIONAL_HEADER is alias for the structure used on the target compiler architecture. */
+  if (nt_headers->FileHeader.SizeOfOptionalHeader < offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory))
+    return FALSE;
+
    /* IMAGE_NT_OPTIONAL_HDR_MAGIC is alias for the header magic used on the target compiler architecture. */
    if (nt_headers->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
      return FALSE;
author	Pali Rohár <pali@kernel.org>
	Wed, 4 Dec 2024 17:20:18 +0000 (18:20 +0100)
committer	Martin Mares <mj@ucw.cz>
	Sun, 8 Jun 2025 15:19:58 +0000 (17:19 +0200)
lib/physmem-windows.c		patch \| blob \| blame \| history
lib/win32-kldbg.c		patch \| blob \| blame \| history