28 lines
1.2 KiB
Diff
28 lines
1.2 KiB
Diff
From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001
|
|
From: Steven Morgan <stevmorg@cisco.com>
|
|
Date: Fri, 3 Mar 2017 13:56:28 -0500
|
|
Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack
|
|
file.
|
|
|
|
---
|
|
libclamav/wwunpack.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
|
|
index 8611cb604..38c18081c 100644
|
|
--- a/libclamav/wwunpack.c
|
|
+++ b/libclamav/wwunpack.c
|
|
@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
|
|
return CL_EFORMAT;
|
|
exe[pe+6]=(uint8_t)scount;
|
|
exe[pe+7]=(uint8_t)(scount>>8);
|
|
+ if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
|
|
+ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
|
|
+ !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
|
|
+ cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
|
|
+ return CL_EFORMAT;
|
|
+ }
|
|
cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
|
|
cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);
|
|
|