Skip to content

Commit

Permalink
Fixed out-of-bounds read
Browse files Browse the repository at this point in the history
  • Loading branch information
Ladislav Zezula committed Oct 4, 2021
1 parent 228bace commit 96d7c4a
Showing 1 changed file with 20 additions and 18 deletions.
38 changes: 20 additions & 18 deletions src/pelib/ImageLoader.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1146,29 +1146,31 @@ std::uint32_t PeLib::ImageLoader::readWriteImage(
if(rva < rvaEnd)
{
std::uint8_t * bufferPtr = static_cast<std::uint8_t *>(buffer);
std::size_t pageIndex = rva / PELIB_PAGE_SIZE;

// The page index must be in range
if(pageIndex < pages.size())
while(rva < rvaEnd)
{
while(rva < rvaEnd)
{
PELIB_FILE_PAGE & page = pages[pageIndex++];
std::uint32_t offsetInPage = rva & (PELIB_PAGE_SIZE - 1);
std::uint32_t bytesInPage = PELIB_PAGE_SIZE - offsetInPage;

// Perhaps the last page loaded?
if(bytesInPage > (rvaEnd - rva))
bytesInPage = (rvaEnd - rva);
std::uint32_t offsetInPage = rva & (PELIB_PAGE_SIZE - 1);
std::uint32_t bytesInPage = PELIB_PAGE_SIZE - offsetInPage;
std::size_t pageIndex = rva / PELIB_PAGE_SIZE;

// Perform the read/write operation
ReadWrite(page, bufferPtr, offsetInPage, bytesInPage);
// Perhaps the last page loaded?
if(bytesInPage > (rvaEnd - rva))
bytesInPage = (rvaEnd - rva);

// Move pointers
bufferPtr += bytesInPage;
bytesRead += bytesInPage;
rva += bytesInPage;
// The page index must be in range
if(pageIndex < pages.size())
{
ReadWrite(pages[pageIndex], bufferPtr, offsetInPage, bytesInPage);
}
else
{
memset(bufferPtr, 0, bytesInPage);
}

// Move pointers
bufferPtr += bytesInPage;
bytesRead += bytesInPage;
rva += bytesInPage;
}
}

Expand Down

0 comments on commit 96d7c4a

Please sign in to comment.