Check DigitalSignature and MsiDigitalSignatureEx stream lengths, CID 1519400, 1519381, 1519386

This commit is contained in:
olszomal 2023-01-18 13:33:17 +01:00 committed by Michał Trojnara
parent 95a8a9d9c1
commit 199a852c12

View File

@ -3178,6 +3178,10 @@ static int msi_verify_file(MSI_PARAMS *msiparams, GLOBAL_OPTIONS *options)
goto out; goto out;
} }
inlen = GET_UINT32_LE(ds->size); inlen = GET_UINT32_LE(ds->size);
if (inlen == 0 || inlen >= MAXREGSECT) {
printf("Corrupted DigitalSignature stream length 0x%08X\n", inlen);
goto out;
}
indata = OPENSSL_malloc((size_t)inlen); indata = OPENSSL_malloc((size_t)inlen);
if (!msi_file_read(msiparams->msi, ds, 0, indata, inlen)) { if (!msi_file_read(msiparams->msi, ds, 0, indata, inlen)) {
printf("DigitalSignature stream data error\n\n"); printf("DigitalSignature stream data error\n\n");
@ -3187,6 +3191,10 @@ static int msi_verify_file(MSI_PARAMS *msiparams, GLOBAL_OPTIONS *options)
printf("Warning: MsiDigitalSignatureEx stream doesn't exist\n"); printf("Warning: MsiDigitalSignatureEx stream doesn't exist\n");
} else { } else {
exlen = GET_UINT32_LE(dse->size); exlen = GET_UINT32_LE(dse->size);
if (exlen == 0 || exlen >= MAXREGSECT) {
printf("Corrupted MsiDigitalSignatureEx stream length 0x%08X\n", exlen);
goto out;
}
exdata = OPENSSL_malloc((size_t)exlen); exdata = OPENSSL_malloc((size_t)exlen);
if (!msi_file_read(msiparams->msi, dse, 0, exdata, exlen)) { if (!msi_file_read(msiparams->msi, dse, 0, exdata, exlen)) {
printf("MsiDigitalSignatureEx stream data error\n\n"); printf("MsiDigitalSignatureEx stream data error\n\n");
@ -3249,6 +3257,10 @@ static int msi_extract_file(MSI_PARAMS *msiparams, BIO *outdata, int output_pkcs
return 1; /* FAILED */ return 1; /* FAILED */
} }
len = GET_UINT32_LE(ds->size); len = GET_UINT32_LE(ds->size);
if (len == 0 || len >= MAXREGSECT) {
printf("Corrupted DigitalSignature stream length 0x%08X\n", len);
return 1; /* FAILED */
}
data = OPENSSL_malloc((size_t)len); data = OPENSSL_malloc((size_t)len);
(void)BIO_reset(outdata); (void)BIO_reset(outdata);
sig = msi_extract_existing_pkcs7(msiparams, ds, &data, len); sig = msi_extract_existing_pkcs7(msiparams, ds, &data, len);
@ -5657,6 +5669,10 @@ static PKCS7 *msi_presign_file(file_type_t type, cmd_type_t cmd, FILE_HEADER *he
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
len = GET_UINT32_LE(ds->size); len = GET_UINT32_LE(ds->size);
if (len == 0 || len >= MAXREGSECT) {
printf("Corrupted DigitalSignature stream length 0x%08X\n", len);
return NULL; /* FAILED */
}
data = OPENSSL_malloc((size_t)len); data = OPENSSL_malloc((size_t)len);
*cursig = msi_extract_existing_pkcs7(msiparams, ds, &data, len); *cursig = msi_extract_existing_pkcs7(msiparams, ds, &data, len);
OPENSSL_free(data); OPENSSL_free(data);