[PATCH] kernelbase: Stay in bounds when looking for resource entries. - wine-devel

29 Oct 2020

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50075
Signed-off-by: Arkadiusz Hiler ahiler@codeweavers.com
---
 dlls/kernelbase/version.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/dlls/kernelbase/version.c b/dlls/kernelbase/version.c
index 58c49aa148b..cb6c57d7617 100644
--- a/dlls/kernelbase/version.c
+++ b/dlls/kernelbase/version.c
@@ -240,7 +240,8 @@ done:
  * Copied from loader/pe_resource.c
  */
 static const IMAGE_RESOURCE_DIRECTORY *find_entry_by_id( const IMAGE_RESOURCE_DIRECTORY *dir,
-                                                         WORD id, const void *root )
+                                                         WORD id, const void *root,
+                                                         const void *end )
 {
     const IMAGE_RESOURCE_DIRECTORY_ENTRY *entry;
     int min, max, pos;
@@ -251,6 +252,7 @@ static const IMAGE_RESOURCE_DIRECTORY *find_entry_by_id( const IMAGE_RESOURCE_DI
     while (min <= max)
     {
         pos = (min + max) / 2;
+        if ((void*)&entry[pos] >= end || &entry[pos] < entry) return NULL;
         if (entry[pos].u.Id == id)
             return (const IMAGE_RESOURCE_DIRECTORY *)((const char *)root + entry[pos].u2.s2.OffsetToDirectory);
         if (entry[pos].u.Id > id) max = pos - 1;
@@ -294,7 +296,8 @@ static inline int push_language( WORD *list, int pos, WORD lang )
  *  find_entry_language
  */
 static const IMAGE_RESOURCE_DIRECTORY *find_entry_language( const IMAGE_RESOURCE_DIRECTORY *dir,
-                                                            const void *root, DWORD flags )
+                                                            const void *root, const void *end,
+                                                            DWORD flags )
 {
     const IMAGE_RESOURCE_DIRECTORY *ret;
     WORD list[9];
@@ -319,7 +322,7 @@ static const IMAGE_RESOURCE_DIRECTORY *find_entry_language( const IMAGE_RESOURCE
         pos = push_language( list, pos, MAKELANGID( LANG_ENGLISH, SUBLANG_DEFAULT ) );
     }
-    for (i = 0; i < pos; i++) if ((ret = find_entry_by_id( dir, list[i], root ))) return ret;
+    for (i = 0; i < pos; i++) if ((ret = find_entry_by_id( dir, list[i], root, end ))) return ret;
     return find_entry_default( dir, root );
 }
@@ -488,19 +491,19 @@ static BOOL find_pe_resource( HANDLE handle, DWORD *resLen, DWORD *resOff, DWORD
     resDir = resSection + (resDataDir->VirtualAddress - sections[i].VirtualAddress);
resPtr = resDir;
-    resPtr = find_entry_by_id( resPtr, VS_FILE_INFO, resDir );
+    resPtr = find_entry_by_id( resPtr, VS_FILE_INFO, resDir, resSection + section_size );
     if ( !resPtr )
     {
         TRACE("No typeid entry found\n" );
         goto done;
     }
-    resPtr = find_entry_by_id( resPtr, VS_VERSION_INFO, resDir );
+    resPtr = find_entry_by_id( resPtr, VS_VERSION_INFO, resDir, resSection + section_size );
     if ( !resPtr )
     {
         TRACE("No resid entry found\n" );
         goto done;
     }
-    resPtr = find_entry_language( resPtr, resDir, flags );
+    resPtr = find_entry_language( resPtr, resDir, resSection + section_size, flags );
     if ( !resPtr )
     {
         TRACE("No default language entry found\n" );
-- 
2.29.1



    