Merge pull request #399 from ladislav-zezula/LZ_FuzzingIssuesHEADmaster

Fixed https://github.com/ladislav-zezula/StormLib/issues/397 and http…

5 files changed, 17 insertions, 5 deletions

diff --git a/src/SBaseCommon.cpp b/src/SBaseCommon.cpp
index 16caf4f..4d56502 100644
--- a/src/SBaseCommon.cpp
+++ b/src/SBaseCommon.cpp
@@ -1019,6 +1019,11 @@ void * LoadMpqTable(
                 return NULL;

             }

         }

+        else

+        {

+            // pocs/MPQ_2025_06_BadHashTableSize.mpq

+            dwCompressedSize = dwTableSize;

+        }

 

         // Get the file offset from which we will read the table

         // Note: According to Storm.dll from Warcraft III (version 2002),

diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp
index e854ac0..46daab5 100644
--- a/src/SBaseFileTable.cpp
+++ b/src/SBaseFileTable.cpp
@@ -2508,7 +2508,8 @@ TMPQHetTable * LoadHetTable(TMPQArchive * ha)
     TMPQHeader * pHeader = ha->pHeader;

 

     // If the HET table position is not 0, we expect the table to be present

-    if(pHeader->HetTablePos64 && pHeader->HetTableSize64)

+    // Alsom the HET table must have a reasonable size

+    if(pHeader->HetTablePos64 && pHeader->HetTableSize64 && pHeader->HetTableSize64 < BET_TABLE_MAX_SIZE)

     {

         // Attempt to load the HET table (Hash Extended Table)

         pExtTable = LoadExtTable(ha, pHeader->HetTablePos64, (size_t)pHeader->HetTableSize64, HET_TABLE_SIGNATURE, MPQ_KEY_HASH_TABLE);

@@ -2530,7 +2531,7 @@ TMPQBetTable * LoadBetTable(TMPQArchive * ha)
     TMPQHeader * pHeader = ha->pHeader;

 

     // If the BET table position is not 0, we expect the table to be present

-    if(pHeader->BetTablePos64 && pHeader->BetTableSize64)

+    if(pHeader->BetTablePos64 && pHeader->BetTableSize64 && pHeader->BetTableSize64 < BET_TABLE_MAX_SIZE)

     {

         // Attempt to load the HET table (Hash Extended Table)

         pExtTable = LoadExtTable(ha, pHeader->BetTablePos64, (size_t)pHeader->BetTableSize64, BET_TABLE_SIGNATURE, MPQ_KEY_BLOCK_TABLE);

diff --git a/src/StormLib.h b/src/StormLib.h
index e1db062..1f3dee7 100644
--- a/src/StormLib.h
+++ b/src/StormLib.h
@@ -292,6 +292,7 @@ extern "C" {
 // Signatures for HET and BET table
 #define HET_TABLE_SIGNATURE         0x1A544548  // 'HET\x1a'
 #define BET_TABLE_SIGNATURE         0x1A544542  // 'BET\x1a'
+#define BET_TABLE_MAX_SIZE          0x00100000  // Maximum acceptable size of HET&BET tables
 
 // Decryption keys for MPQ tables
 #define MPQ_KEY_HASH_TABLE          0xC3AF3770  // Obtained by HashString("(hash table)", MPQ_HASH_FILE_KEY)
diff --git a/test/StormTest.cpp b/test/StormTest.cpp
index 4e06e1a..eb57ebf 100755
--- a/test/StormTest.cpp
+++ b/test/StormTest.cpp
@@ -3960,8 +3960,8 @@ static void Test_PlayingSpace()
     LPBYTE pbData;

     DWORD dwFileSize = 529298;

     DWORD dwBytesRead = 0;

-

-    if(SFileOpenArchive(_T("c:\\War3.mpq"), 0, 0, &hMpq))

+/*

+    if(SFileOpenArchive(_T("e:\\2.mpq"), 0, 0, &hMpq))

     {

         if(SFileOpenFileEx(hMpq, "(listfile)", 0, &hFile))

         {

@@ -3974,6 +3974,7 @@ static void Test_PlayingSpace()
         }

         SFileCloseArchive(hMpq);

     }

+*/

 }

 

 //-----------------------------------------------------------------------------

@@ -4237,7 +4238,7 @@ static const TEST_INFO1 TestList_MasterMirror[] =
 static const TEST_INFO1 Test_OpenMpqs[] =

 {

 

-    // PoC's by Gabe Sherman, tinh0.

+    // PoC's by Gabe Sherman, tinh0, Zao Yang

     {_T("pocs/MPQ_2024_01_HeapOverrun.mpq"),                    NULL, "7008f95dcbc4e5d840830c176dec6969",    14},

     {_T("pocs/MPQ_2024_02_StackOverflow.mpq"),                  NULL, "7093fcbcc9674b3e152e74e8e8a937bb",     4},

     {_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"),                    NULL, "--------------------------------",     TFLG_WILL_FAIL},

@@ -4255,6 +4256,8 @@ static const TEST_INFO1 Test_OpenMpqs[] =
     {_T("pocs/MPQ_2025_03_InvalidPatchInfo.mpq"),               NULL, "93b885adfe0da089cdf634904fd59f71",     TFLG_WILL_FAIL},

     {_T("pocs/MPQ_2025_04_InvalidArchiveSize64.mpq"),           NULL, "--------------------------------",     TFLG_WILL_FAIL},

     {_T("pocs/MPQ_2025_05_AddFileError.mpq"),                   NULL, "ce9b8afed4221a53663d391f10691ba6",     TFLG_WILL_FAIL},

+    {_T("pocs/MPQ_2025_06_BadHashTableSize.mpq"),               NULL, "00000000000000000000000000000000",     TFLG_WILL_FAIL},

+    {_T("pocs/MPQ_2025_07_BadHetTableSize.mpq"),                NULL, "00000000000000000000000000000000",     TFLG_WILL_FAIL},

 

     // Correct or damaged archives

     {_T("MPQ_1997_v1_Diablo1_DIABDAT.MPQ"),                     NULL, "554b538541e42170ed41cb236483489e",  2910, &TwoFilesD1},  // Base MPQ from Diablo 1

diff --git a/test/stormlib-test-001.txt b/test/stormlib-test-001.txt
index cf96931..0359d2f 100644
--- a/test/stormlib-test-001.txt
+++ b/test/stormlib-test-001.txt
@@ -36,6 +36,8 @@ TestReadingMpq (pocs/MPQ_2025_02_SectorOffsetSizeNotAligned.mpq) succeeded.
 TestReadingMpq (pocs/MPQ_2025_03_InvalidPatchInfo.mpq) succeeded.
 TestReadingMpq (pocs/MPQ_2025_04_InvalidArchiveSize64.mpq) succeeded.
 TestReadingMpq (pocs/MPQ_2025_05_AddFileError.mpq) succeeded.
+TestReadingMpq (pocs/MPQ_2025_06_BadHashTableSize.mpq) succeeded.
+TestReadingMpq (pocs/MPQ_2025_07_BadHetTableSize.mpq) succeeded.
 TestReadingMpq (MPQ_1997_v1_Diablo1_DIABDAT.MPQ) succeeded.
 TestReadingMpq (MPQ_1997_v1_patch_rt_SC1B.mpq) succeeded.
 TestReadingMpq (MPQ_1997_v1_StarDat_SC1B.mpq) succeeded.