From c9620d7824e58bdc79a0fde09003ec047b1af3f6 Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <zezula@volny.cz>
Date: Tue, 22 Apr 2025 22:40:25 +0200
Subject: Fixed more bugs from POCs

---
 src/SBaseCommon.cpp    | 7 +++++--
 src/SBaseFileTable.cpp | 4 ++--
 src/SFileReadFile.cpp  | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/SBaseCommon.cpp b/src/SBaseCommon.cpp
index 3284bb7..0d9598a 100644
--- a/src/SBaseCommon.cpp
+++ b/src/SBaseCommon.cpp
@@ -1365,14 +1365,17 @@ DWORD AllocateSectorOffsets(TMPQFile * hf, bool bLoadFromFile)
             if((hf->SectorOffsets[0] & 0xFFFFFFFC) > dwSectorOffsLen)
             {
                 // MPQ protectors put some ridiculous values there. We must limit the extra bytes
-                if(hf->SectorOffsets[0] > (dwSectorOffsLen + 0x400)) {
+                if(hf->SectorOffsets[0] > (dwSectorOffsLen + 0x400))
+                {
                     STORM_FREE(hf->SectorOffsets);
                     hf->SectorOffsets = NULL;
                     return ERROR_FILE_CORRUPT;
                 }
 
+                // The new length of the sector offset must be aligned to DWORD
+                dwSectorOffsLen = (hf->SectorOffsets[0] & 0xFFFFFFFC);
+
                 // Free the old sector offset table
-                dwSectorOffsLen = hf->SectorOffsets[0];
                 STORM_FREE(hf->SectorOffsets);
                 goto __LoadSectorOffsets;
             }
diff --git a/src/SBaseFileTable.cpp b/src/SBaseFileTable.cpp
index 0461be2..d2d5bc3 100644
--- a/src/SBaseFileTable.cpp
+++ b/src/SBaseFileTable.cpp
@@ -651,7 +651,7 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the block table
             if(BlockTablePos64)
             {
-                if(BlockTablePos64 > FileSize)
+                if(BlockTablePos64 > FileSize || BlockTablePos64 >= MaxOffset)
                     return ERROR_FILE_CORRUPT;
                 pHeader->BlockTableSize64 = MaxOffset - BlockTablePos64;
                 MaxOffset = BlockTablePos64;
@@ -660,7 +660,7 @@ DWORD ConvertMpqHeaderToFormat4(
             // Size of the hash table
             if(HashTablePos64)
             {
-                if(HashTablePos64 > FileSize)
+                if(HashTablePos64 > FileSize || HashTablePos64 >= MaxOffset)
                     return ERROR_FILE_CORRUPT;
                 pHeader->HashTableSize64 = MaxOffset - HashTablePos64;
                 MaxOffset = HashTablePos64;
diff --git a/src/SFileReadFile.cpp b/src/SFileReadFile.cpp
index 1e990aa..f2c17ba 100644
--- a/src/SFileReadFile.cpp
+++ b/src/SFileReadFile.cpp
@@ -310,7 +310,7 @@ static DWORD ReadMpqFileSingleUnit(TMPQFile * hf, void * pvBuffer, DWORD dwFileP
             // deDE\DBFilesClient\MountCapability.dbc  0x93->0x77  0x77     0x77     No
             //
 
-            if(pFileEntry->dwFlags & MPQ_FILE_PATCH_FILE)
+            if(pFileEntry->dwFlags & MPQ_FILE_PATCH_FILE && cbInBuffer > sizeof(TPatchInfo))
                 cbInBuffer = cbInBuffer - sizeof(TPatchInfo);
 
             // Is the file compressed by Blizzard's multiple compression ?
-- 
cgit v1.2.3