Module: wine Branch: master Commit: 6e66c12c68c6b35ec6ff037e032979fb1dacbe26 URL: http://source.winehq.org/git/wine.git/?a=commit;h=6e66c12c68c6b35ec6ff037e03...
Author: Sebastian Lackner sebastian@fds-team.de Date: Thu Jul 30 07:14:23 2015 +0200
ntdll: Validate SecurityCookie pointer before accessing cookie value.
---
dlls/ntdll/virtual.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c index 479ca79..2fd8198 100644 --- a/dlls/ntdll/virtual.c +++ b/dlls/ntdll/virtual.c @@ -1320,9 +1320,11 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz
loadcfg = RtlImageDirectoryEntryToData( (HMODULE)ptr, TRUE, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &loadcfg_size ); - if (loadcfg && - loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie)) + if (loadcfg && loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie) && + (ULONG_PTR)ptr <= loadcfg->SecurityCookie && loadcfg->SecurityCookie <= (ULONG_PTR)ptr + total_size - sizeof(ULONG_PTR)) + { set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie); + }
/* set the image protections */