+ Anti-integer overflow in calculating buffer for hash table, and position of the block table entry

author: Ladislav Zezula <ladislav.zezula@avg.com> 2016-01-28 08:56:48 +0100
committer: Ladislav Zezula <ladislav.zezula@avg.com> 2016-01-28 08:56:48 +0100
commit: 7d65d87773e3e7e587ba98a325e85d9cef621943 (patch)
tree: 39ee366a63bcd10b191554060497577ccf492290 /src/SFileOpenArchive.cpp
parent: 7b7c9acce2035c25064be3e83b358001182b8c47 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/SFileOpenArchive.cpp b/src/SFileOpenArchive.cpp
index f9469fb..6a249f2 100644
--- a/src/SFileOpenArchive.cpp
+++ b/src/SFileOpenArchive.cpp
@@ -365,6 +365,13 @@ bool WINAPI SFileOpenArchive(
             ha->pUserData = NULL;
         }
 
+        // Anti-overflow. If the hash table size in the header is
+        // higher than 0x10000000, it would overflow in 32-bit version
+        // Observed in the malformed Warcraft III maps
+        // Example map: MPQ_2016_v1_ProtectedMap_TableSizeOverflow.w3x
+        ha->pHeader->dwHashTableSize &= 0x0FFFFFFF;
+        ha->pHeader->dwBlockTableSize &= 0x0FFFFFFF;
+
         // Both MPQ_OPEN_NO_LISTFILE or MPQ_OPEN_NO_ATTRIBUTES trigger read only mode
         if(dwFlags & (MPQ_OPEN_NO_LISTFILE | MPQ_OPEN_NO_ATTRIBUTES))
             ha->dwFlags |= MPQ_FLAG_READ_ONLY;
author	Ladislav Zezula <ladislav.zezula@avg.com>	2016-01-28 08:56:48 +0100
committer	Ladislav Zezula <ladislav.zezula@avg.com>	2016-01-28 08:56:48 +0100
commit	7d65d87773e3e7e587ba98a325e85d9cef621943 (patch)
tree	39ee366a63bcd10b191554060497577ccf492290 /src/SFileOpenArchive.cpp
parent	7b7c9acce2035c25064be3e83b358001182b8c47 (diff)