nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 09:08:04 -05:00
Code Issues Projects Releases Wiki Activity

fix double free in msi_dirent_new()

Browse Source
This commit is contained in:
olszomal 2022-02-18 12:49:55 +01:00 committed by Michał Trojnara
parent bdea1d1c2a
commit 289c345280
1 changed files with 36 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
msi.c
View File

@ -162,20 +162,28 @@ static uint32_t get_next_mini_sector(MSI_FILE *msi, uint32_t miniSector)
return GET_UINT32_LE(address); return GET_UINT32_LE(address);
} }
static void locate_final_mini_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset) static int locate_final_mini_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset)
{ {
while (offset >= msi->m_minisectorSize) { while (offset >= msi->m_minisectorSize) {
offset -= msi->m_minisectorSize; offset -= msi->m_minisectorSize;
sector = get_next_mini_sector(msi, sector); sector = get_next_mini_sector(msi, sector);
if (sector == 0) {
printf("Failed to get a next mini sector\n");
return 0; /* FAILED */
}
} }
*finalSector = sector; *finalSector = sector;
*finalOffset = offset; *finalOffset = offset;
return 1; /* OK */
} }
/* Same logic as "read_stream" except that use mini stream functions instead */ /* Same logic as "read_stream" except that use mini stream functions instead */
static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len) static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len)
{ {
locate_final_mini_sector(msi, sector, offset, &sector, &offset); if (!locate_final_mini_sector(msi, sector, offset, &sector, &offset)) {
printf("Failed to locate a final mini sector\n");
return 0; /* FAILED */
}
while (len > 0) { while (len > 0) {
const u_char *address; const u_char *address;
uint32_t copylen; uint32_t copylen;
@ -193,6 +201,10 @@ static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, cha
buffer += copylen; buffer += copylen;
len -= copylen; len -= copylen;
sector = get_next_mini_sector(msi, sector); sector = get_next_mini_sector(msi, sector);
if (sector == 0) {
printf("Failed to get a next mini sector\n");
return 0; /* FAILED */
}
offset = 0; offset = 0;
} }
return 1; /* OK */ return 1; /* OK */
@ -273,7 +285,8 @@ static MSI_ENTRY *parse_entry(MSI_FILE *msi, const u_char *data)
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
memcpy(entry->size, data + DIRENT_FILE_SIZE, 8); memcpy(entry->size, data + DIRENT_FILE_SIZE, 8);
/* For a version 3 compound file 512-byte sector size, the value of this field MUST be less than or equal to 0x80000000 */ /* For a version 3 compound file 512-byte sector size, the value of this field
MUST be less than or equal to 0x80000000 */
inlen = GET_UINT32_LE(entry->size); inlen = GET_UINT32_LE(entry->size);
if ((msi->m_sectorSize == 0x0200 && inlen > 0x80000000) if ((msi->m_sectorSize == 0x0200 && inlen > 0x80000000)
|| (msi->m_bufferLen <= inlen)) { || (msi->m_bufferLen <= inlen)) {
@ -295,19 +308,25 @@ static int get_entry(MSI_FILE *msi, uint32_t entryID, int is_root, MSI_ENTRY **e
uint32_t offset = 0; uint32_t offset = 0;
const u_char *address; const u_char *address;
/* The special value NOSTREAM (0xFFFFFFFF) is used as a terminator */
if (entryID == NOSTREAM) {
return 1; /* OK */
}
/* Corrupted file */ /* Corrupted file */
if (!is_root && entryID == 0) { if (!is_root && entryID == 0) {
printf("Corrupted file\n"); printf("Corrupted file\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
/* The special value NOSTREAM (0xFFFFFFFF) is used as a terminator */
if (entryID == NOSTREAM) {
return 1; /* OK */
}
if (msi->m_bufferLen / sizeof(MSI_ENTRY) <= entryID) { if (msi->m_bufferLen / sizeof(MSI_ENTRY) <= entryID) {
printf("Invalid argument entryID\n"); printf("Invalid argument entryID\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
/* The first entry in the first sector of the directory chain is known as
the root directory entry so it can not contain the directory stream */
if (msi->m_hdr->firstDirectorySectorLocation == 0 && entryID == 0) {
printf("Corrupted First Directory Sector Location\n");
return 0; /* FAILED */
}
if (!locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, entryID * sizeof(MSI_ENTRY), &sector, &offset)) { if (!locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, entryID * sizeof(MSI_ENTRY), &sector, &offset)) {
printf("Failed to locate a final sector\n"); printf("Failed to locate a final sector\n");
return 0; /* FAILED */ return 0; /* FAILED */
@ -387,7 +406,7 @@ MSI_FILE_HDR *msi_header_get(MSI_FILE *msi)
int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret) int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret)
{ {
MSI_DIRENT *dirent, *unused = NULL; MSI_DIRENT *dirent, *unused = NULL;
MSI_ENTRY *node = NULL; MSI_ENTRY *lnode = NULL, *rnode = NULL, *cnode = NULL;
if (!entry) { if (!entry) {
return 1; /* OK */ return 1; /* OK */
@ -410,39 +429,39 @@ int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRE
return 0; /* FAILED */ return 0; /* FAILED */
} }
/* NOTE : These links are a tree, not a linked list */ /* NOTE : These links are a tree, not a linked list */
if (!get_entry(msi, entry->leftSiblingID, FALSE, &node)) { if (!get_entry(msi, entry->leftSiblingID, FALSE, &lnode)) {
printf("Corrupted leftSiblingID: 0x%08X\n", entry->leftSiblingID); printf("Corrupted leftSiblingID: 0x%08X\n", entry->leftSiblingID);
sk_MSI_DIRENT_free(dirent->children); sk_MSI_DIRENT_free(dirent->children);
OPENSSL_free(dirent); OPENSSL_free(dirent);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (!msi_dirent_new(msi, node, parent, &unused)) { if (!msi_dirent_new(msi, lnode, parent, &unused)) {
OPENSSL_free(node); OPENSSL_free(lnode);
sk_MSI_DIRENT_free(dirent->children); sk_MSI_DIRENT_free(dirent->children);
OPENSSL_free(dirent); OPENSSL_free(dirent);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (!get_entry(msi, entry->rightSiblingID, FALSE, &node)) { if (!get_entry(msi, entry->rightSiblingID, FALSE, &rnode)) {
printf("Corrupted rightSiblingID: 0x%08X\n", entry->rightSiblingID); printf("Corrupted rightSiblingID: 0x%08X\n", entry->rightSiblingID);
sk_MSI_DIRENT_free(dirent->children); sk_MSI_DIRENT_free(dirent->children);
OPENSSL_free(dirent); OPENSSL_free(dirent);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (!msi_dirent_new(msi, node, parent, &unused)) { if (!msi_dirent_new(msi, rnode, parent, &unused)) {
OPENSSL_free(node); OPENSSL_free(rnode);
sk_MSI_DIRENT_free(dirent->children); sk_MSI_DIRENT_free(dirent->children);
OPENSSL_free(dirent); OPENSSL_free(dirent);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (entry->type != DIR_STREAM) { if (entry->type != DIR_STREAM) {
if (!get_entry(msi, entry->childID, FALSE, &node)) { if (!get_entry(msi, entry->childID, FALSE, &cnode)) {
printf("Corrupted childID: 0x%08X\n", entry->childID); printf("Corrupted childID: 0x%08X\n", entry->childID);
sk_MSI_DIRENT_free(dirent->children); sk_MSI_DIRENT_free(dirent->children);
OPENSSL_free(dirent); OPENSSL_free(dirent);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (!msi_dirent_new(msi, node, dirent, &unused)) { if (!msi_dirent_new(msi, cnode, dirent, &unused)) {
OPENSSL_free(node); OPENSSL_free(cnode);
sk_MSI_DIRENT_free(dirent->children); sk_MSI_DIRENT_free(dirent->children);
OPENSSL_free(dirent); OPENSSL_free(dirent);
return 0; /* FAILED */ return 0; /* FAILED */