Am 21.07.2015 um 20:33 schrieb André Hentschel:
- if (loadcfg && loadcfg_size >= sizeof(*loadcfg) &&
(ULONG_PTR)ptr > loadcfg->SecurityCookie &&loadcfg->SecurityCookie < (ULONG_PTR)ptr + total_size) set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);
Your check doesn't take the size of the security cookie into account. If the cookie would only be partially inside of the image area, the check would still succeed although not all memory is writable.
The check for the lower limit should be (<= instead of >): (ULONG_PTR)ptr <= loadcfg->SecurityCookie
Is it possible to have an unmapped space between mapped sections? According to the NT section header it should be possible, but I am not sure if Wine fills this area.
Am 21.07.2015 um 21:00 schrieb Michael Müller:
Am 21.07.2015 um 20:33 schrieb André Hentschel:
- if (loadcfg && loadcfg_size >= sizeof(*loadcfg) &&
(ULONG_PTR)ptr > loadcfg->SecurityCookie &&loadcfg->SecurityCookie < (ULONG_PTR)ptr + total_size) set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);Your check doesn't take the size of the security cookie into account. If the cookie would only be partially inside of the image area, the check would still succeed although not all memory is writable.
The check for the lower limit should be (<= instead of >): (ULONG_PTR)ptr <= loadcfg->SecurityCookie
Is it possible to have an unmapped space between mapped sections? According to the NT section header it should be possible, but I am not sure if Wine fills this area.
Be free to send a proper patch, you already analyzed more than i wrote ;)
-
André Hentschel -
Michael Müller