From: Pali Rohár <pali@kernel.org>
Date: Wed, 4 Dec 2024 17:20:18 +0000 (+0100)
Subject: windows: Check for SizeOfOptionalHeader before dereferencing OptionalHeader
X-Git-Tag: v3.14.0~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea02a2ffb1f1b941de747858cd6da89ff675629a;p=thirdparty%2Fpciutils.git

windows: Check for SizeOfOptionalHeader before dereferencing OptionalHeader

offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory) is the minimal size of
variable length OptionalHeader (IMAGE_OPTIONAL_HEADER) structure.
---

diff --git a/lib/physmem-windows.c b/lib/physmem-windows.c
index b220a78..f2e1264 100644
--- a/lib/physmem-windows.c
+++ b/lib/physmem-windows.c
@@ -428,6 +428,9 @@ win32_get_proc_address_by_ordinal(HMODULE module, DWORD ordinal, BOOL must_be_wi
   if (nt_header->Signature != IMAGE_NT_SIGNATURE)
     return NULL;
 
+  if (nt_header->FileHeader.SizeOfOptionalHeader < offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory))
+    return NULL;
+
   if (nt_header->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
     return NULL;
 
diff --git a/lib/win32-kldbg.c b/lib/win32-kldbg.c
index 22078f5..69e0fb5 100644
--- a/lib/win32-kldbg.c
+++ b/lib/win32-kldbg.c
@@ -155,6 +155,10 @@ win32_check_driver(BYTE *driver_data)
     return FALSE;
 #endif
 
+  /* IMAGE_OPTIONAL_HEADER is alias for the structure used on the target compiler architecture. */
+  if (nt_headers->FileHeader.SizeOfOptionalHeader < offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory))
+    return FALSE;
+
   /* IMAGE_NT_OPTIONAL_HDR_MAGIC is alias for the header magic used on the target compiler architecture. */
   if (nt_headers->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
     return FALSE;