DBG: Fix mapped area overrun in ReadDebugDirectory for bogus debugDirSize

2018-11-07 00:40:23 +01:00 · 2018-11-07 00:40:23 +01:00 · 1e9bf1ab7c
parent 0adb663a91
commit 1e9bf1ab7c
1 changed files with 5 additions and 1 deletions
--- a/src/dbg/module.cpp
+++ b/src/dbg/module.cpp
@ -387,7 +387,11 @@ void ReadDebugDirectory(MODINFO & Info, ULONG_PTR FileMapVA)
                    FALSE,
                    IMAGE_DIRECTORY_ENTRY_DEBUG,
                    &debugDirSize);
-    if(debugDirSize == 0 || debugDir == nullptr)
+    if(debugDirSize == 0 || debugDir == nullptr ||
+       // Check if debugDir fits into the mapped area
+       (ULONG_PTR)debugDir + debugDirSize > FileMapVA + Info.loadedSize ||
+       // Check for ULONG_PTR wraparound (e.g. when debugDirSize == 0xfffff000)
+       (ULONG_PTR)debugDir + debugDirSize < (ULONG_PTR)debugDir)
        return;

    struct CV_HEADER