From 41b662a8fe6a0f817809cfd82f5068e62ce42bcb Mon Sep 17 00:00:00 2001 From: olszomal Date: Fri, 31 May 2024 12:20:10 +0200 Subject: [PATCH] Checked cFolders value --- appx.c | 6 ++-- cab.c | 80 ++++++++++++++++++++++++++++++++++---------------- msi.c | 4 +-- osslsigncode.c | 12 ++++++-- pe.c | 4 +-- script.c | 6 ++-- 6 files changed, 73 insertions(+), 39 deletions(-) diff --git a/appx.c b/appx.c index d66af5a..a280f26 100644 --- a/appx.c +++ b/appx.c @@ -616,12 +616,12 @@ static int appx_process_data(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) entry = zipGetCDEntryByName(ctx->appx_ctx->zip, CONTENT_TYPES_FILENAME); if (!entry) { printf("Not a valid .appx file: content types file missing\n"); - return 1; /* FAILED */ + return 0; /* FAILED */ } if (!appx_append_ct_signature_entry(ctx->appx_ctx->zip, entry)) { - return 1; /* FAILED */ + return 0; /* FAILED */ } - return 0; /* OK */ + return 1; /* OK */ } /* diff --git a/cab.c b/cab.c index 684469a..b35c86d 100644 --- a/cab.c +++ b/cab.c @@ -396,7 +396,7 @@ static PKCS7 *cab_pkcs7_extract_to_nest(FILE_FORMAT_CTX *ctx) */ static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, written, len; + size_t idx, written, len; uint32_t tmp; uint16_t nfolders, flags; char *buf; @@ -441,29 +441,39 @@ static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) * u2 iCabinet - number of this cabinet file in a set: 34-35 */ BIO_write(outdata, ctx->options->indata + 32, 4); - i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); + idx = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); + if (idx >= ctx->cab_ctx->fileend) { + printf("Corrupt CAB file - too short\n"); + OPENSSL_free(buf); + return 0; /* FAILED */ + } /* * (u8 * cFolders) CFFOLDER - structure contains information about * one of the folders or partial folders stored in this cabinet file */ nfolders = GET_UINT16_LE(ctx->options->indata + 26); + if (nfolders * 8 >= ctx->cab_ctx->fileend - idx) { + printf("Corrupt cFolders value: 0x%08X\n", nfolders); + OPENSSL_free(buf); + return 0; /* FAILED */ + } while (nfolders) { - tmp = GET_UINT32_LE(ctx->options->indata + i); + tmp = GET_UINT32_LE(ctx->options->indata + idx); tmp -= 24; PUT_UINT32_LE(tmp, buf); BIO_write(outdata, buf, 4); - BIO_write(outdata, ctx->options->indata + i + 4, 4); - i+=8; + BIO_write(outdata, ctx->options->indata + idx + 4, 4); + idx += 8; nfolders--; } OPENSSL_free(buf); /* Write what's left - the compressed data bytes */ - len = ctx->cab_ctx->fileend - ctx->cab_ctx->siglen - i; + len = ctx->cab_ctx->fileend - ctx->cab_ctx->siglen - idx; while (len > 0) { - if (!BIO_write_ex(outdata, ctx->options->indata + i, len, &written)) + if (!BIO_write_ex(outdata, ctx->options->indata + idx, len, &written)) return 1; /* FAILED */ len -= written; - i += written; + idx += written; } return 0; /* OK */ } @@ -480,12 +490,12 @@ static int cab_process_data(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) /* Strip current signature and modify header */ if (ctx->cab_ctx->header_size == 20) { if (!cab_modify_header(ctx, hash, outdata)) - return 1; /* FAILED */ + return 0; /* FAILED */ } else { if (!cab_add_header(ctx, hash, outdata)) - return 1; /* FAILED */ + return 0; /* FAILED */ } - return 0; /* OK */ + return 1; /* OK */ } /* @@ -802,7 +812,7 @@ static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t i, uin */ static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, written, len; + size_t idx, written, len; uint16_t nfolders, flags; u_char buf[] = {0x00, 0x00}; @@ -840,24 +850,32 @@ static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) /* u4 abReserve: 56-59 */ BIO_write(hash, ctx->options->indata + 56, 4); - i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); + idx = cab_write_optional_names(outdata, ctx->options->indata, 60, flags); + if (idx >= ctx->cab_ctx->fileend) { + printf("Corrupt CAB file - too short\n"); + return 0; /* FAILED */ + } /* * (u8 * cFolders) CFFOLDER - structure contains information about * one of the folders or partial folders stored in this cabinet file */ nfolders = GET_UINT16_LE(ctx->options->indata + 26); + if (nfolders * 8 >= ctx->cab_ctx->fileend - idx) { + printf("Corrupt cFolders value: 0x%08X\n", nfolders); + return 0; /* FAILED */ + } while (nfolders) { - BIO_write(hash, ctx->options->indata + i, 8); - i += 8; + BIO_write(hash, ctx->options->indata + idx, 8); + idx += 8; nfolders--; } /* Write what's left - the compressed data bytes */ - len = ctx->cab_ctx->sigpos - i; + len = ctx->cab_ctx->sigpos - idx; while (len > 0) { - if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) + if (!BIO_write_ex(hash, ctx->options->indata + idx, len, &written)) return 0; /* FAILED */ len -= written; - i += written; + idx += written; } return 1; /* OK */ } @@ -871,7 +889,7 @@ static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) */ static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) { - size_t i, written, len; + size_t idx, written, len; uint32_t tmp; uint16_t nfolders, flags; u_char cabsigned[] = { @@ -916,29 +934,39 @@ static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) BIO_write(outdata, cabsigned, 20); BIO_write(hash, cabsigned+20, 4); - i = cab_write_optional_names(outdata, ctx->options->indata, 36, flags); + idx = cab_write_optional_names(outdata, ctx->options->indata, 36, flags); + if (idx >= ctx->cab_ctx->fileend) { + printf("Corrupt CAB file - too short\n"); + OPENSSL_free(buf); + return 0; /* FAILED */ + } /* * (u8 * cFolders) CFFOLDER - structure contains information about * one of the folders or partial folders stored in this cabinet file */ nfolders = GET_UINT16_LE(ctx->options->indata + 26); + if (nfolders * 8 >= ctx->cab_ctx->fileend - idx) { + printf("Corrupt cFolders value: 0x%08X\n", nfolders); + OPENSSL_free(buf); + return 0; /* FAILED */ + } while (nfolders) { - tmp = GET_UINT32_LE(ctx->options->indata + i); + tmp = GET_UINT32_LE(ctx->options->indata + idx); tmp += 24; PUT_UINT32_LE(tmp, buf); BIO_write(hash, buf, 4); - BIO_write(hash, ctx->options->indata + i + 4, 4); - i += 8; + BIO_write(hash, ctx->options->indata + idx + 4, 4); + idx += 8; nfolders--; } OPENSSL_free(buf); /* Write what's left - the compressed data bytes */ - len = ctx->cab_ctx->fileend - i; + len = ctx->cab_ctx->fileend - idx; while (len > 0) { - if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written)) + if (!BIO_write_ex(hash, ctx->options->indata + idx, len, &written)) return 0; /* FAILED */ len -= written; - i += written; + idx += written; } return 1; /* OK */ } diff --git a/msi.c b/msi.c index f2e2312..b44cc07 100644 --- a/msi.c +++ b/msi.c @@ -595,9 +595,9 @@ static int msi_process_data(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) hash = msi_digest_calc_bio(ctx, hash); if (!hash) { - return 1; /* FAILED */ + return 0; /* FAILED */ } - return 0; /* OK */ + return 1; /* OK */ } /* diff --git a/osslsigncode.c b/osslsigncode.c index aaf67b6..e02fe85 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -4878,7 +4878,9 @@ int main(int argc, char **argv) DO_EXIT_0("Unable to extract existing signature\n"); } if (ctx->format->process_data) { - ctx->format->process_data(ctx, hash, outdata); + if (!ctx->format->process_data(ctx, hash, outdata)) { + DO_EXIT_0("Unable to read input file\n"); + } } } else if (options.cmd == CMD_ATTACH) { if (options.nest) { @@ -4904,7 +4906,9 @@ int main(int argc, char **argv) DO_EXIT_0("Unable to extract valid signature\n"); } if (ctx->format->process_data) { - ctx->format->process_data(ctx, hash, outdata); + if (!ctx->format->process_data(ctx, hash, outdata)) { + DO_EXIT_0("Unable to read input file\n"); + } } } else if (options.cmd == CMD_SIGN) { if (options.nest) { @@ -4924,7 +4928,9 @@ int main(int argc, char **argv) } } if (ctx->format->process_data) { - ctx->format->process_data(ctx, hash, outdata); + if (!ctx->format->process_data(ctx, hash, outdata)) { + DO_EXIT_0("Unable to read input file\n"); + } } if (ctx->format->pkcs7_signature_new) { /* Create a new PKCS#7 signature */ diff --git a/pe.c b/pe.c index 613d0f4..97a475d 100644 --- a/pe.c +++ b/pe.c @@ -374,9 +374,9 @@ static int pe_process_data(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) } if (!pe_modify_header(ctx, hash, outdata)) { printf("Unable to modify file header\n"); - return 1; /* FAILED */ + return 0; /* FAILED */ } - return 0; /* OK */ + return 1; /* OK */ } /* diff --git a/script.c b/script.c index 92cc947..8b476ba 100644 --- a/script.c +++ b/script.c @@ -455,10 +455,10 @@ static int script_process_data(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata) ctx->script_ctx->fileend = ctx->script_ctx->sigpos; } if (!script_write_bio(outdata, ctx->options->indata, ctx->script_ctx->fileend)) - return 1; /* FAILED */ + return 0; /* FAILED */ if (!script_digest_convert(hash, ctx, ctx->script_ctx->fileend)) - return 1; /* FAILED */ - return 0; /* OK */ + return 0; /* FAILED */ + return 1; /* OK */ } /*