ntdll: Validate SecurityCookie pointer before accessing cookie value.

6e66c12c · Sebastian Lackner · Alexandre Julliard · 4bcdbe09 · 6e66c12c
Commit 6e66c12c authored Jul 30, 2015 by Sebastian Lackner Committed by Alexandre Julliard Jul 30, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

virtual.c dlls/ntdll/virtual.c +4 -2

No files found.
--- a/dlls/ntdll/virtual.c
+++ b/dlls/ntdll/virtual.c
@@ -1320,9 +1320,11 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz

    loadcfg = RtlImageDirectoryEntryToData( (HMODULE)ptr, TRUE,
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &loadcfg_size );
-    if (loadcfg &&
-        loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie))
+    if (loadcfg && loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie) &&
+        (ULONG_PTR)ptr <= loadcfg->SecurityCookie && loadcfg->SecurityCookie <= (ULONG_PTR)ptr + total_size - sizeof(ULONG_PTR))
+    {
        set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);
+    }

    /* set the image protections */