From dfc00cd3301a42b571454b51a6102eecf58407bc Mon Sep 17 00:00:00 2001
From: Steven Morgan <stevmorg@cisco.com>
Date: Fri, 3 Mar 2017 13:56:28 -0500
Subject: [PATCH] bb19798 - fix out of bound memory access for crafted wwunpack
 file.

---
 libclamav/wwunpack.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libclamav/wwunpack.c b/libclamav/wwunpack.c
index 8611cb604..38c18081c 100644
--- a/libclamav/wwunpack.c
+++ b/libclamav/wwunpack.c
@@ -226,6 +226,12 @@ int wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_exe_secti
 	return CL_EFORMAT;
     exe[pe+6]=(uint8_t)scount;
     exe[pe+7]=(uint8_t)(scount>>8);
+    if (!CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295, 4) ||
+        !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva, 4) ||
+        !CLI_ISCONTAINED(wwsect, sects[scount].rsz, wwsect+0x295+sects[scount].rva+0x299, 4)) {
+        cli_dbgmsg("WWPack: unpack memory address out of bounds.\n");
+        return CL_EFORMAT;
+    }
     cli_writeint32(&exe[pe+0x28], cli_readint32(wwsect+0x295)+sects[scount].rva+0x299);
     cli_writeint32(&exe[pe+0x50], cli_readint32(&exe[pe+0x50])-sects[scount].vsz);