From 7d65d87773e3e7e587ba98a325e85d9cef621943 Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <ladislav.zezula@avg.com>
Date: Thu, 28 Jan 2016 08:56:48 +0100
Subject: + Anti-integer overflow in calculating buffer for hash table, and
 position of the block table entry

---
 src/SFileOpenArchive.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/SFileOpenArchive.cpp')

diff --git a/src/SFileOpenArchive.cpp b/src/SFileOpenArchive.cpp
index f9469fb..6a249f2 100644
--- a/src/SFileOpenArchive.cpp
+++ b/src/SFileOpenArchive.cpp
@@ -365,6 +365,13 @@ bool WINAPI SFileOpenArchive(
             ha->pUserData = NULL;
         }
 
+        // Anti-overflow. If the hash table size in the header is
+        // higher than 0x10000000, it would overflow in 32-bit version
+        // Observed in the malformed Warcraft III maps
+        // Example map: MPQ_2016_v1_ProtectedMap_TableSizeOverflow.w3x
+        ha->pHeader->dwHashTableSize &= 0x0FFFFFFF;
+        ha->pHeader->dwBlockTableSize &= 0x0FFFFFFF;
+
         // Both MPQ_OPEN_NO_LISTFILE or MPQ_OPEN_NO_ATTRIBUTES trigger read only mode
         if(dwFlags & (MPQ_OPEN_NO_LISTFILE | MPQ_OPEN_NO_ATTRIBUTES))
             ha->dwFlags |= MPQ_FLAG_READ_ONLY;
-- 
cgit v1.2.3