Fixed more bugs from POCs

author: Ladislav Zezula <zezula@volny.cz> 2025-04-22 22:40:25 +0200
committer: Ladislav Zezula <zezula@volny.cz> 2025-04-22 22:40:25 +0200
commit: c9620d7824e58bdc79a0fde09003ec047b1af3f6 (patch)
tree: f2ed61dbaf5f0ce648e7c1b940c78731294b1494 /src
parent: 4f4e2154cd9bb788186e4985104b58c4a5ee3d72 (diff)
3 files changed, 8 insertions, 5 deletions
diff --git a/src/SBaseCommon.cpp b/src/SBaseCommon.cpp
index 3284bb7..0d9598a 100644
--- a/src/SBaseCommon.cpp
+++ b/src/SBaseCommon.cpp
@@ -1365,14 +1365,17 @@ DWORD AllocateSectorOffsets(TMPQFile * hf, bool bLoadFromFile)
             if((hf->SectorOffsets[0] & 0xFFFFFFFC) > dwSectorOffsLen)
             {
                 // MPQ protectors put some ridiculous values there. We must limit the extra bytes
-                if(hf->SectorOffsets[0] > (dwSectorOffsLen + 0x400)) {
+                if(hf->SectorOffsets[0] > (dwSectorOffsLen + 0x400))
+                {
                     STORM_FREE(hf->SectorOffsets);
                     hf->SectorOffsets = NULL;
                     return ERROR_FILE_CORRUPT;
                 }
 
+                // The new length of the sector offset must be aligned to DWORD
+                dwSectorOffsLen = (hf->SectorOffsets[0] & 0xFFFFFFFC);
+
                 // Free the old sector offset table
-                dwSectorOffsLen = hf->SectorOffsets[0];
                 STORM_FREE(hf->SectorOffsets);
                 goto __LoadSectorOffsets;
             }
diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp
index 0461be2..d2d5bc3 100644
--- a/src/SBaseFileTable.cpp
+++ b/src/SBaseFileTable.cpp
@@ -651,7 +651,7 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the block table
             if(BlockTablePos64)
             {
-                if(BlockTablePos64 > FileSize)
+                if(BlockTablePos64 > FileSize || BlockTablePos64 >= MaxOffset)
                     return ERROR_FILE_CORRUPT;
                 pHeader->BlockTableSize64 = MaxOffset - BlockTablePos64;
                 MaxOffset = BlockTablePos64;
@@ -660,7 +660,7 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the hash table
             if(HashTablePos64)
             {
-                if(HashTablePos64 > FileSize)
+                if(HashTablePos64 > FileSize || HashTablePos64 >= MaxOffset)
                     return ERROR_FILE_CORRUPT;
                 pHeader->HashTableSize64 = MaxOffset - HashTablePos64;
                 MaxOffset = HashTablePos64;
diff --git a/src/SFileReadFile.cpp b/src/SFileReadFile.cpp
index 1e990aa..f2c17ba 100644
--- a/src/SFileReadFile.cpp
+++ b/src/SFileReadFile.cpp
@@ -310,7 +310,7 @@ static DWORD ReadMpqFileSingleUnit(TMPQFile * hf, void * pvBuffer, DWORD dwFileP
             // deDE\DBFilesClient\MountCapability.dbc  0x93->0x77  0x77     0x77     No
             //
 
-            if(pFileEntry->dwFlags & MPQ_FILE_PATCH_FILE)
+            if(pFileEntry->dwFlags & MPQ_FILE_PATCH_FILE && cbInBuffer > sizeof(TPatchInfo))
                 cbInBuffer = cbInBuffer - sizeof(TPatchInfo);
 
             // Is the file compressed by Blizzard's multiple compression ?
author	Ladislav Zezula <zezula@volny.cz>	2025-04-22 22:40:25 +0200
committer	Ladislav Zezula <zezula@volny.cz>	2025-04-22 22:40:25 +0200
commit	c9620d7824e58bdc79a0fde09003ec047b1af3f6 (patch)
tree	f2ed61dbaf5f0ce648e7c1b940c78731294b1494 /src
parent	4f4e2154cd9bb788186e4985104b58c4a5ee3d72 (diff)