blob: ba16126f7411c1fc8fd5f77e7a8156d64c518228 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
commit 6fe86eef621b9849f51a5e1e5d73258a93440403
Author: Quang Nguyễn <quangnh89@users.noreply.github.com>
Date: Mon Mar 13 22:34:48 2017 +0700
provide a validity check to prevent against Integer overflow conditions (#870)
* provide a validity check to prevent against Integer overflow conditions
* fix some style issues.
diff --git a/windows/winkernel_mm.c b/windows/winkernel_mm.c
index c127da3a..ecdc1ca2 100644
--- a/windows/winkernel_mm.c
+++ b/windows/winkernel_mm.c
@@ -3,6 +3,7 @@
#include "winkernel_mm.h"
#include <ntddk.h>
+#include <Ntintsafe.h>
// A pool tag for memory allocation
static const ULONG CS_WINKERNEL_POOL_TAG = 'kwsC';
@@ -33,8 +34,16 @@ void * CAPSTONE_API cs_winkernel_malloc(size_t size)
// FP; a use of NonPagedPool is required for Windows 7 support
#pragma prefast(suppress : 30030) // Allocating executable POOL_TYPE memory
- CS_WINKERNEL_MEMBLOCK *block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(
- NonPagedPool, size + sizeof(CS_WINKERNEL_MEMBLOCK), CS_WINKERNEL_POOL_TAG);
+ size_t number_of_bytes = 0;
+ CS_WINKERNEL_MEMBLOCK *block = NULL;
+ // A specially crafted size value can trigger the overflow.
+ // If the sum in a value that overflows or underflows the capacity of the type,
+ // the function returns NULL.
+ if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(CS_WINKERNEL_MEMBLOCK), &number_of_bytes))) {
+ return NULL;
+ }
+ block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(
+ NonPagedPool, number_of_bytes, CS_WINKERNEL_POOL_TAG);
if (!block) {
return NULL;
}
|
GitWeb
