From c0d7708350d0e38ee71802f14dd34a1dd9732b31 Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <zezula@volny.cz>
Date: Sun, 21 Apr 2024 16:41:40 +0200
Subject: Fixed too-big-alloc in
 https://github.com/ladislav-zezula/StormLib/issues/329

---
 src/SBaseFileTable.cpp | 10 ++++++++++
 test/StormTest.cpp     |  8 ++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp
index 274129d..84cfe45 100644
--- a/src/SBaseFileTable.cpp
+++ b/src/SBaseFileTable.cpp
@@ -635,6 +635,8 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the hi-block table
             if(pHeader->HiBlockTablePos64)
             {
+                if(pHeader->HiBlockTablePos64 > FileSize)
+                    return ERROR_FILE_CORRUPT;
                 pHeader->HiBlockTableSize64 = MaxOffset - pHeader->HiBlockTablePos64;
                 MaxOffset = pHeader->HiBlockTablePos64;
             }
@@ -642,6 +644,8 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the block table
             if(BlockTablePos64)
             {
+                if(BlockTablePos64 > FileSize)
+                    return ERROR_FILE_CORRUPT;
                 pHeader->BlockTableSize64 = MaxOffset - BlockTablePos64;
                 MaxOffset = BlockTablePos64;
             }
@@ -649,6 +653,8 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the hash table
             if(HashTablePos64)
             {
+                if(HashTablePos64 > FileSize)
+                    return ERROR_FILE_CORRUPT;
                 pHeader->HashTableSize64 = MaxOffset - HashTablePos64;
                 MaxOffset = HashTablePos64;
             }
@@ -656,6 +662,8 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the BET table
             if(pHeader->BetTablePos64)
             {
+                if(pHeader->BetTablePos64 > FileSize)
+                    return ERROR_FILE_CORRUPT;
                 pHeader->BetTableSize64 = MaxOffset - pHeader->BetTablePos64;
                 MaxOffset = pHeader->BetTablePos64;
             }
@@ -663,6 +671,8 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the HET table
             if(pHeader->HetTablePos64)
             {
+                if(pHeader->HetTablePos64 > FileSize)
+                    return ERROR_FILE_CORRUPT;
                 pHeader->HetTableSize64 = MaxOffset - pHeader->HetTablePos64;
 //              MaxOffset = pHeader->HetTablePos64;
             }
diff --git a/test/StormTest.cpp b/test/StormTest.cpp
index 718c910..00c5e13 100755
--- a/test/StormTest.cpp
+++ b/test/StormTest.cpp
@@ -4002,6 +4002,11 @@ static const TEST_INFO1 TestList_MasterMirror[] =
 
 static const TEST_INFO1 Test_OpenMpqs[] =
 {
+    // PoC's by Gabe Sherman from FuturesLab
+    {_T("pocs/MPQ_2024_01_HeapOverrun.mpq"),                    NULL, "7008f95dcbc4e5d840830c176dec6969",    14},
+    {_T("pocs/MPQ_2024_02_StackOverflow.mpq"),                  NULL, "7093fcbcc9674b3e152e74e8e8a937bb",     4},
+    {_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"),                    NULL, "--------------------------------",  TFLG_WILL_FAIL},
+
     // Correct or damaged archives
     {_T("MPQ_1997_v1_Diablo1_DIABDAT.MPQ"),                     NULL, "554b538541e42170ed41cb236483489e",  2910, &TwoFilesD1},  // Base MPQ from Diablo 1
     {_T("MPQ_1997_v1_patch_rt_SC1B.mpq"),                       NULL, "43fe7d362955be68a708486e399576a7",    10},               // From Starcraft 1 BETA
@@ -4182,12 +4187,11 @@ static const LPCSTR Test_CreateMpq_Localized[] =
 //-----------------------------------------------------------------------------
 // Main
 
-#define TEST_COMMAND_LINE
+//#define TEST_COMMAND_LINE
 //#define TEST_LOCAL_LISTFILE
 //#define TEST_STREAM_OPERATIONS
 //#define TEST_MASTER_MIRROR
 #define TEST_OPEN_MPQ
-#define TEST_OPEN_MPQ
 #define TEST_REOPEN_MPQ
 #define TEST_VERIFY_SIGNATURE
 #define TEST_REPLACE_FILE
-- 
cgit v1.2.3