diff options
| author | Ladislav Zezula <zezula@volny.cz> | 2024-04-21 18:40:56 +0200 |
|---|---|---|
| committer | Ladislav Zezula <zezula@volny.cz> | 2024-04-21 18:40:56 +0200 |
| commit | 355665c0ab214cae667681858cc1d8c3b0a41d4a (patch) | |
| tree | 03f654209a12ffa29db734cc095a28f5f54a4d86 | |
| parent | 3643858d00d26165404837a1f0f7640a84873c30 (diff) | |
Fixed kernelmode heap overflow (via ReadFile), described in https://github.com/ladislav-zezula/StormLib/issues/333
| -rw-r--r-- | src/SFileReadFile.cpp | 7 | ||||
| -rwxr-xr-x | test/StormTest.cpp | 13 |
2 files changed, 14 insertions, 6 deletions
diff --git a/src/SFileReadFile.cpp b/src/SFileReadFile.cpp index 8ab5f48..180d428 100644 --- a/src/SFileReadFile.cpp +++ b/src/SFileReadFile.cpp @@ -261,6 +261,8 @@ static DWORD ReadMpqFileSingleUnit(TMPQFile * hf, void * pvBuffer, DWORD dwFileP // If the file sector is not loaded yet, do it if(hf->dwSectorOffs != 0) { + DWORD cbRawData = hf->dwDataSize; + // Is the file compressed? if(pFileEntry->dwFlags & MPQ_FILE_COMPRESS_MASK) { @@ -268,11 +270,14 @@ static DWORD ReadMpqFileSingleUnit(TMPQFile * hf, void * pvBuffer, DWORD dwFileP pbCompressed = STORM_ALLOC(BYTE, pFileEntry->dwCmpSize); if(pbCompressed == NULL) return ERROR_NOT_ENOUGH_MEMORY; + + // Redirect reading pbRawData = pbCompressed; + cbRawData = pFileEntry->dwCmpSize; } // Load the raw (compressed, encrypted) data - if(!FileStream_Read(ha->pStream, &RawFilePos, pbRawData, pFileEntry->dwCmpSize)) + if(!FileStream_Read(ha->pStream, &RawFilePos, pbRawData, cbRawData)) { STORM_FREE(pbCompressed); return GetLastError(); diff --git a/test/StormTest.cpp b/test/StormTest.cpp index 540557a..eeb0a24 100755 --- a/test/StormTest.cpp +++ b/test/StormTest.cpp @@ -3787,6 +3787,7 @@ static DWORD TestReplaceFile(LPCTSTR szMpqPlainName, LPCTSTR szFilePlainName, LP static void Test_PlayingSpace()
{
+/*
SFILE_FIND_DATA sf;
HANDLE hMpq = NULL;
@@ -3796,6 +3797,7 @@ static void Test_PlayingSpace() SFileAddWave(hMpq, _T("e:\\Ladik\\Incoming\\poc11"), "poc11", MPQ_FILE_FIX_KEY, 1);
SFileCloseArchive(hMpq);
}
+*/
}
//-----------------------------------------------------------------------------
@@ -4000,11 +4002,12 @@ static const TEST_INFO1 TestList_MasterMirror[] = static const TEST_INFO1 Test_OpenMpqs[] =
{
// PoC's by Gabe Sherman from FuturesLab
- {_T("pocs/MPQ_2024_01_HeapOverrun.mpq"), NULL, "7008f95dcbc4e5d840830c176dec6969", 14},
- {_T("pocs/MPQ_2024_02_StackOverflow.mpq"), NULL, "7093fcbcc9674b3e152e74e8e8a937bb", 4},
- {_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL},
- {_T("pocs/MPQ_2024_04_HeapOverflow.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL},
- {_T("pocs/MPQ_2024_05_HeapOverflow.mpq"), NULL, "0539ae020719654a0ea6e2627a8195f8", 14},
+ //{_T("pocs/MPQ_2024_01_HeapOverrun.mpq"), NULL, "7008f95dcbc4e5d840830c176dec6969", 14},
+ //{_T("pocs/MPQ_2024_02_StackOverflow.mpq"), NULL, "7093fcbcc9674b3e152e74e8e8a937bb", 4},
+ //{_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL},
+ //{_T("pocs/MPQ_2024_04_HeapOverflow.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL},
+ //{_T("pocs/MPQ_2024_05_HeapOverflow.mpq"), NULL, "0539ae020719654a0ea6e2627a8195f8", 14},
+ {_T("pocs/MPQ_2024_06_HeapOverflowReadFile.mpq"), NULL, "d41d8cd98f00b204e9800998ecf8427e", 1},
// Correct or damaged archives
{_T("MPQ_1997_v1_Diablo1_DIABDAT.MPQ"), NULL, "554b538541e42170ed41cb236483489e", 2910, &TwoFilesD1}, // Base MPQ from Diablo 1
|