From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001 From: Steven Morgan <stevmorg@cisco.com> Date: Fri, 3 Mar 2017 13:56:28 -0500 Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack file. --- libclamav/wwunpack.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c index 8611cb604..38c18081c 100644 --- a/libclamav/wwunpack.c +++ b/libclamav/wwunpack.c @@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti return CL_EFORMAT; exe[pe+6]=(uint8_t)scount; exe[pe+7]=(uint8_t)(scount>>8); + if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) || + !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) || + !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) { + cli_dbgmsg("WWPack: unpack memory address out of bounds.\n"); + return CL_EFORMAT; + } cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299); cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);