+ Fixed arbitrarily large allocations caused by TQMPHeader::dwBlockTableSize

author: Zezula Ladislav <ladislav.zezula@avast.com> 2018-10-15 11:23:52 +0200
committer: Zezula Ladislav <ladislav.zezula@avast.com> 2018-10-15 11:23:52 +0200
commit: f35d106059accbddaa602b6525f9542746b2c2b7 (patch)
tree: 4fd9212c6d57e430076dba99936b1503f18a8919 /src
parent: 4ad0bff21da0163917e1552960e6a43679586b89 (diff)
4 files changed, 25 insertions, 2 deletions
diff --git a/src/FileStream.cpp b/src/FileStream.cpp
index c73223c..84f36c0 100644
--- a/src/FileStream.cpp
+++ b/src/FileStream.cpp
@@ -652,6 +652,19 @@ static bool BaseHttp_Open(TFileStream * pStream, const TCHAR * szFileName, DWORD
                     DWORD dwFileSize = 0;
                     DWORD dwDataSize;
                     DWORD dwIndex = 0;
+                    TCHAR StatusCode[0x08];
+
+                    // Check if the file succeeded to open
+                    dwDataSize = sizeof(StatusCode);
+                    if(HttpQueryInfo(hRequest, HTTP_QUERY_STATUS_CODE, StatusCode, &dwDataSize, &dwIndex))
+                    {
+                        if(_tcscmp(StatusCode, _T("200")))
+                        {
+                            InternetCloseHandle(hRequest);
+                            SetLastError(ERROR_FILE_NOT_FOUND);
+                            return false;
+                        }
+                    }
 
                     // Check if the MPQ has Last Modified field
                     dwDataSize = sizeof(ULONGLONG);
diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp
index 1cb469e..700df48 100644
--- a/src/SBaseFileTable.cpp
+++ b/src/SBaseFileTable.cpp
@@ -406,6 +406,14 @@ int ConvertMpqHeaderToFormat4(
                 pHeader->ArchiveSize64 = DetermineArchiveSize_V1(ha, pHeader, MpqOffset, FileSize);
                 pHeader->dwArchiveSize = (DWORD)pHeader->ArchiveSize64;
             }
+
+            // EWIX_v8_7.w3x: TMPQHeader::dwBlockTableSize = 0x00319601
+            // Size of TFileTable goes to ~200MB, so we artificially cut it
+            if(BlockTablePos64 + (pHeader->dwBlockTableSize * sizeof(TMPQBlock)) > FileSize)
+            {
+                pHeader->dwBlockTableSize = (DWORD)((FileSize - BlockTablePos64) / sizeof(TMPQBlock));
+                pHeader->BlockTableSize64 = pHeader->dwBlockTableSize * sizeof(TMPQBlock);
+            }
             break;
 
         case MPQ_FORMAT_VERSION_2:
diff --git a/src/SFileOpenArchive.cpp b/src/SFileOpenArchive.cpp
index a896eaf..15dffe4 100644
--- a/src/SFileOpenArchive.cpp
+++ b/src/SFileOpenArchive.cpp
@@ -118,7 +118,6 @@ static int VerifyMpqTablePositions(TMPQArchive * ha, ULONGLONG FileSize)
     return ERROR_SUCCESS;
 }
 
-
 /*****************************************************************************/
 /* Public functions                                                          */
 /*****************************************************************************/
diff --git a/src/SFileOpenFileEx.cpp b/src/SFileOpenFileEx.cpp
index a25cc72..a139585 100644
--- a/src/SFileOpenFileEx.cpp
+++ b/src/SFileOpenFileEx.cpp
@@ -308,7 +308,10 @@ bool WINAPI SFileOpenFileEx(HANDLE hMpq, const char * szFileName, DWORD dwSearch
                 }
             }
 
-            nError = ERROR_FILE_NOT_FOUND;
+            if(pFileEntry == NULL)
+            {
+                nError = ERROR_FILE_NOT_FOUND;
+            }
         }
 
         // Ignore unknown loading flags (example: MPQ_2016_v1_WME4_4.w3x)
author	Zezula Ladislav <ladislav.zezula@avast.com>	2018-10-15 11:23:52 +0200
committer	Zezula Ladislav <ladislav.zezula@avast.com>	2018-10-15 11:23:52 +0200
commit	f35d106059accbddaa602b6525f9542746b2c2b7 (patch)
tree	4fd9212c6d57e430076dba99936b1503f18a8919 /src
parent	4ad0bff21da0163917e1552960e6a43679586b89 (diff)