Fixed kernelmode heap overflow (via ReadFile), described in https://github.com/ladislav-zezula/StormLib/issues/333

author: Ladislav Zezula <zezula@volny.cz> 2024-04-21 18:40:56 +0200
committer: Ladislav Zezula <zezula@volny.cz> 2024-04-21 18:40:56 +0200
commit: 355665c0ab214cae667681858cc1d8c3b0a41d4a (patch)
tree: 03f654209a12ffa29db734cc095a28f5f54a4d86 /src/SFileReadFile.cpp
parent: 3643858d00d26165404837a1f0f7640a84873c30 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/src/SFileReadFile.cpp b/src/SFileReadFile.cpp
index 8ab5f48..180d428 100644
--- a/src/SFileReadFile.cpp
+++ b/src/SFileReadFile.cpp
@@ -261,6 +261,8 @@ static DWORD ReadMpqFileSingleUnit(TMPQFile * hf, void * pvBuffer, DWORD dwFileP
     // If the file sector is not loaded yet, do it
     if(hf->dwSectorOffs != 0)
     {
+        DWORD cbRawData = hf->dwDataSize;
+
         // Is the file compressed?
         if(pFileEntry->dwFlags & MPQ_FILE_COMPRESS_MASK)
         {
@@ -268,11 +270,14 @@ static DWORD ReadMpqFileSingleUnit(TMPQFile * hf, void * pvBuffer, DWORD dwFileP
             pbCompressed = STORM_ALLOC(BYTE, pFileEntry->dwCmpSize);
             if(pbCompressed == NULL)
                 return ERROR_NOT_ENOUGH_MEMORY;
+            
+            // Redirect reading
             pbRawData = pbCompressed;
+            cbRawData = pFileEntry->dwCmpSize;
         }
 
         // Load the raw (compressed, encrypted) data
-        if(!FileStream_Read(ha->pStream, &RawFilePos, pbRawData, pFileEntry->dwCmpSize))
+        if(!FileStream_Read(ha->pStream, &RawFilePos, pbRawData, cbRawData))
         {
             STORM_FREE(pbCompressed);
             return GetLastError();
author	Ladislav Zezula <zezula@volny.cz>	2024-04-21 18:40:56 +0200
committer	Ladislav Zezula <zezula@volny.cz>	2024-04-21 18:40:56 +0200
commit	355665c0ab214cae667681858cc1d8c3b0a41d4a (patch)
tree	03f654209a12ffa29db734cc095a28f5f54a4d86 /src/SFileReadFile.cpp
parent	3643858d00d26165404837a1f0f7640a84873c30 (diff)