https://bugs.winehq.org/show_bug.cgi?id=38949
--- Comment #6 from Sebastian Lackner sebastian@fds-team.de --- (In reply to Anastasius Focht from comment #4)
I think that should be taken care by the PE compressor code itself. Whoever messes with load config directory has to emit/keep relocation entries for:
- LockPrefixTable (VA)
- EditList (VA)
- SecurityCookie (VA)
- SEHandlerTable (VA)
When the PE compressor code does the relocation, then yes. But Wine also contains relocation code, thats what I was concerned about.
(In reply to André H. from comment #5)
Created attachment 51899 [details] ntdll: Don't touch SecurityCookie when the pointer is outside of the image
What about this patch?
You are truncating the pointer on 64-bit, you'll have to use something like DWORD_PTR or ULONG_PTR (or alternatively do the test with pointer types). Besides that, I think it would be better to check:
(ULONG_PTR)ptr >= loadcfg->SecurityCookie && loadcfg->SecurityCookie <= (ULONG_PTR)ptr + total_size - sizeof(ULONG_PTR)