You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.5 KiB
42 lines
1.5 KiB
8 years ago
|
commit 6fe86eef621b9849f51a5e1e5d73258a93440403
|
||
|
Author: Quang Nguyễn <quangnh89@users.noreply.github.com>
|
||
|
Date: Mon Mar 13 22:34:48 2017 +0700
|
||
|
|
||
|
provide a validity check to prevent against Integer overflow conditions (#870)
|
||
|
|
||
|
* provide a validity check to prevent against Integer overflow conditions
|
||
|
|
||
|
* fix some style issues.
|
||
|
|
||
|
diff --git a/windows/winkernel_mm.c b/windows/winkernel_mm.c
|
||
|
index c127da3a..ecdc1ca2 100644
|
||
|
--- a/windows/winkernel_mm.c
|
||
|
+++ b/windows/winkernel_mm.c
|
||
|
@@ -3,6 +3,7 @@
|
||
|
|
||
|
#include "winkernel_mm.h"
|
||
|
#include <ntddk.h>
|
||
|
+#include <Ntintsafe.h>
|
||
|
|
||
|
// A pool tag for memory allocation
|
||
|
static const ULONG CS_WINKERNEL_POOL_TAG = 'kwsC';
|
||
|
@@ -33,8 +34,16 @@ void * CAPSTONE_API cs_winkernel_malloc(size_t size)
|
||
|
|
||
|
// FP; a use of NonPagedPool is required for Windows 7 support
|
||
|
#pragma prefast(suppress : 30030) // Allocating executable POOL_TYPE memory
|
||
|
- CS_WINKERNEL_MEMBLOCK *block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(
|
||
|
- NonPagedPool, size + sizeof(CS_WINKERNEL_MEMBLOCK), CS_WINKERNEL_POOL_TAG);
|
||
|
+ size_t number_of_bytes = 0;
|
||
|
+ CS_WINKERNEL_MEMBLOCK *block = NULL;
|
||
|
+ // A specially crafted size value can trigger the overflow.
|
||
|
+ // If the sum in a value that overflows or underflows the capacity of the type,
|
||
|
+ // the function returns NULL.
|
||
|
+ if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(CS_WINKERNEL_MEMBLOCK), &number_of_bytes))) {
|
||
|
+ return NULL;
|
||
|
+ }
|
||
|
+ block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(
|
||
|
+ NonPagedPool, number_of_bytes, CS_WINKERNEL_POOL_TAG);
|
||
|
if (!block) {
|
||
|
return NULL;
|
||
|
}
|