From ea02a2ffb1f1b941de747858cd6da89ff675629a Mon Sep 17 00:00:00 2001
From: =?utf8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
Date: Wed, 4 Dec 2024 18:20:18 +0100
Subject: [PATCH] windows: Check for SizeOfOptionalHeader before dereferencing
 OptionalHeader

offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory) is the minimal size of
variable length OptionalHeader (IMAGE_OPTIONAL_HEADER) structure.
---
 lib/physmem-windows.c | 3 +++
 lib/win32-kldbg.c     | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/lib/physmem-windows.c b/lib/physmem-windows.c
index b220a78..f2e1264 100644
--- a/lib/physmem-windows.c
+++ b/lib/physmem-windows.c
@@ -428,6 +428,9 @@ win32_get_proc_address_by_ordinal(HMODULE module, DWORD ordinal, BOOL must_be_wi
   if (nt_header->Signature != IMAGE_NT_SIGNATURE)
     return NULL;
 
+  if (nt_header->FileHeader.SizeOfOptionalHeader < offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory))
+    return NULL;
+
   if (nt_header->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
     return NULL;
 
diff --git a/lib/win32-kldbg.c b/lib/win32-kldbg.c
index 22078f5..69e0fb5 100644
--- a/lib/win32-kldbg.c
+++ b/lib/win32-kldbg.c
@@ -155,6 +155,10 @@ win32_check_driver(BYTE *driver_data)
     return FALSE;
 #endif
 
+  /* IMAGE_OPTIONAL_HEADER is alias for the structure used on the target compiler architecture. */
+  if (nt_headers->FileHeader.SizeOfOptionalHeader < offsetof(IMAGE_OPTIONAL_HEADER, DataDirectory))
+    return FALSE;
+
   /* IMAGE_NT_OPTIONAL_HDR_MAGIC is alias for the header magic used on the target compiler architecture. */
   if (nt_headers->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
     return FALSE;
-- 
2.47.3