Nikolay Sivov (@nsivov) commented about dlls/rometadata/assembly.c:
+ default: + return E_INVALIDARG; + } + + if (!pe_rva_to_offset(sections, num_sections, rva, &offset)) return E_INVALIDARG; + + cor_hdr = (IMAGE_COR20_HEADER *)(assembly->data + offset); + if (cor_hdr->cb != sizeof(IMAGE_COR20_HEADER)) return E_INVALIDARG; + if (!(pe_rva_to_offset(sections, num_sections, cor_hdr->MetaData.VirtualAddress, &offset))) return E_INVALIDARG; + + md_start = assembly->data + offset; + md_hdr = (struct metadata_hdr *)md_start; + if (md_hdr->signature != METADATA_MAGIC) return E_INVALIDARG; + + num_streams = *(UINT8 *)(md_start + offsetof(struct metadata_hdr, version[md_hdr->length]) + sizeof(UINT16)); /* Flags */ + streams_cur = md_start + offsetof(struct metadata_hdr, version[md_hdr->length]) + sizeof(UINT16) * 2; /* Flags + Streams */ I haven't looked at the whole thing, but this section looks as if we were going to assume that file contents are always sensible. And if that's what this is doing, I think it's wrong and reader should always validate offsets and sizes.
-- https://gitlab.winehq.org/wine/wine/-/merge_requests/9147#note_118166