From 49b619bae28ba5fcb63c192ef14a9b624e2a7286 Mon Sep 17 00:00:00 2001 From: Ladislav Zezula Date: Mon, 15 Sep 2025 15:09:30 +0200 Subject: Fixed https://github.com/ladislav-zezula/StormLib/issues/397 and https://github.com/ladislav-zezula/StormLib/issues/398 --- src/SBaseCommon.cpp | 5 +++++ src/SBaseFileTable.cpp | 5 +++-- src/StormLib.h | 1 + test/StormTest.cpp | 9 ++++++--- test/stormlib-test-001.txt | 2 ++ 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/SBaseCommon.cpp b/src/SBaseCommon.cpp index 16caf4f..4d56502 100644 --- a/src/SBaseCommon.cpp +++ b/src/SBaseCommon.cpp @@ -1019,6 +1019,11 @@ void * LoadMpqTable( return NULL; } } + else + { + // pocs/MPQ_2025_06_BadHashTableSize.mpq + dwCompressedSize = dwTableSize; + } // Get the file offset from which we will read the table // Note: According to Storm.dll from Warcraft III (version 2002), diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp index e854ac0..46daab5 100644 --- a/src/SBaseFileTable.cpp +++ b/src/SBaseFileTable.cpp @@ -2508,7 +2508,8 @@ TMPQHetTable * LoadHetTable(TMPQArchive * ha) TMPQHeader * pHeader = ha->pHeader; // If the HET table position is not 0, we expect the table to be present - if(pHeader->HetTablePos64 && pHeader->HetTableSize64) + // Alsom the HET table must have a reasonable size + if(pHeader->HetTablePos64 && pHeader->HetTableSize64 && pHeader->HetTableSize64 < BET_TABLE_MAX_SIZE) { // Attempt to load the HET table (Hash Extended Table) pExtTable = LoadExtTable(ha, pHeader->HetTablePos64, (size_t)pHeader->HetTableSize64, HET_TABLE_SIGNATURE, MPQ_KEY_HASH_TABLE); @@ -2530,7 +2531,7 @@ TMPQBetTable * LoadBetTable(TMPQArchive * ha) TMPQHeader * pHeader = ha->pHeader; // If the BET table position is not 0, we expect the table to be present - if(pHeader->BetTablePos64 && pHeader->BetTableSize64) + if(pHeader->BetTablePos64 && pHeader->BetTableSize64 && pHeader->BetTableSize64 < BET_TABLE_MAX_SIZE) { // Attempt to load the HET table (Hash Extended Table) pExtTable = LoadExtTable(ha, pHeader->BetTablePos64, (size_t)pHeader->BetTableSize64, BET_TABLE_SIGNATURE, MPQ_KEY_BLOCK_TABLE); diff --git a/src/StormLib.h b/src/StormLib.h index e1db062..1f3dee7 100644 --- a/src/StormLib.h +++ b/src/StormLib.h @@ -292,6 +292,7 @@ extern "C" { // Signatures for HET and BET table #define HET_TABLE_SIGNATURE 0x1A544548 // 'HET\x1a' #define BET_TABLE_SIGNATURE 0x1A544542 // 'BET\x1a' +#define BET_TABLE_MAX_SIZE 0x00100000 // Maximum acceptable size of HET&BET tables // Decryption keys for MPQ tables #define MPQ_KEY_HASH_TABLE 0xC3AF3770 // Obtained by HashString("(hash table)", MPQ_HASH_FILE_KEY) diff --git a/test/StormTest.cpp b/test/StormTest.cpp index 4e06e1a..eb57ebf 100755 --- a/test/StormTest.cpp +++ b/test/StormTest.cpp @@ -3960,8 +3960,8 @@ static void Test_PlayingSpace() LPBYTE pbData; DWORD dwFileSize = 529298; DWORD dwBytesRead = 0; - - if(SFileOpenArchive(_T("c:\\War3.mpq"), 0, 0, &hMpq)) +/* + if(SFileOpenArchive(_T("e:\\2.mpq"), 0, 0, &hMpq)) { if(SFileOpenFileEx(hMpq, "(listfile)", 0, &hFile)) { @@ -3974,6 +3974,7 @@ static void Test_PlayingSpace() } SFileCloseArchive(hMpq); } +*/ } //----------------------------------------------------------------------------- @@ -4237,7 +4238,7 @@ static const TEST_INFO1 TestList_MasterMirror[] = static const TEST_INFO1 Test_OpenMpqs[] = { - // PoC's by Gabe Sherman, tinh0. + // PoC's by Gabe Sherman, tinh0, Zao Yang {_T("pocs/MPQ_2024_01_HeapOverrun.mpq"), NULL, "7008f95dcbc4e5d840830c176dec6969", 14}, {_T("pocs/MPQ_2024_02_StackOverflow.mpq"), NULL, "7093fcbcc9674b3e152e74e8e8a937bb", 4}, {_T("pocs/MPQ_2024_03_TooBigAlloc.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL}, @@ -4255,6 +4256,8 @@ static const TEST_INFO1 Test_OpenMpqs[] = {_T("pocs/MPQ_2025_03_InvalidPatchInfo.mpq"), NULL, "93b885adfe0da089cdf634904fd59f71", TFLG_WILL_FAIL}, {_T("pocs/MPQ_2025_04_InvalidArchiveSize64.mpq"), NULL, "--------------------------------", TFLG_WILL_FAIL}, {_T("pocs/MPQ_2025_05_AddFileError.mpq"), NULL, "ce9b8afed4221a53663d391f10691ba6", TFLG_WILL_FAIL}, + {_T("pocs/MPQ_2025_06_BadHashTableSize.mpq"), NULL, "00000000000000000000000000000000", TFLG_WILL_FAIL}, + {_T("pocs/MPQ_2025_07_BadHetTableSize.mpq"), NULL, "00000000000000000000000000000000", TFLG_WILL_FAIL}, // Correct or damaged archives {_T("MPQ_1997_v1_Diablo1_DIABDAT.MPQ"), NULL, "554b538541e42170ed41cb236483489e", 2910, &TwoFilesD1}, // Base MPQ from Diablo 1 diff --git a/test/stormlib-test-001.txt b/test/stormlib-test-001.txt index cf96931..0359d2f 100644 --- a/test/stormlib-test-001.txt +++ b/test/stormlib-test-001.txt @@ -36,6 +36,8 @@ TestReadingMpq (pocs/MPQ_2025_02_SectorOffsetSizeNotAligned.mpq) succeeded. TestReadingMpq (pocs/MPQ_2025_03_InvalidPatchInfo.mpq) succeeded. TestReadingMpq (pocs/MPQ_2025_04_InvalidArchiveSize64.mpq) succeeded. TestReadingMpq (pocs/MPQ_2025_05_AddFileError.mpq) succeeded. +TestReadingMpq (pocs/MPQ_2025_06_BadHashTableSize.mpq) succeeded. +TestReadingMpq (pocs/MPQ_2025_07_BadHetTableSize.mpq) succeeded. TestReadingMpq (MPQ_1997_v1_Diablo1_DIABDAT.MPQ) succeeded. TestReadingMpq (MPQ_1997_v1_patch_rt_SC1B.mpq) succeeded. TestReadingMpq (MPQ_1997_v1_StarDat_SC1B.mpq) succeeded. -- cgit v1.2.3