summaryrefslogtreecommitdiff
path: root/source3/printing/nt_printing.c
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-10-29 21:27:57 +0000
committerJeremy Allison <jra@samba.org>2003-10-29 21:27:57 +0000
commit5ca824a682bbcd9331f32935f9b423ae6d468816 (patch)
tree049e58740ad501eb0d888e98eac22006ff830250 /source3/printing/nt_printing.c
parente893948e04136ed5b9ba08373a93dd55f81e2e24 (diff)
downloadsamba-5ca824a682bbcd9331f32935f9b423ae6d468816.tar.gz
samba-5ca824a682bbcd9331f32935f9b423ae6d468816.tar.bz2
samba-5ca824a682bbcd9331f32935f9b423ae6d468816.zip
Fixes to check for wraps which could cause coredumps.
Jeremy. (This used to be commit 124a8ddae63adff4f601242a8e6d05abcaf4d9bf)
Diffstat (limited to 'source3/printing/nt_printing.c')
-rw-r--r--source3/printing/nt_printing.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 5b5b5885ab..908bd9c887 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi)
static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor)
{
int i;
- char *buf;
+ char *buf = NULL;
ssize_t byte_count;
if ((buf=malloc(PE_HEADER_SIZE)) == NULL) {
@@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* The header may be a PE (Portable Executable) or an NE (New Executable) */
if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) {
- int num_sections;
- int section_table_bytes;
+ unsigned int num_sections;
+ unsigned int section_table_bytes;
if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) {
DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n",
@@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* get the section table */
num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS);
section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE;
+ if (section_table_bytes == 0)
+ goto error_exit;
+
SAFE_FREE(buf);
if ((buf=malloc(section_table_bytes)) == NULL) {
DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n",
@@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE;
if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) {
- int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
- int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+ unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
+ unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+
+ if (section_bytes == 0)
+ goto error_exit;
SAFE_FREE(buf);
if ((buf=malloc(section_bytes)) == NULL) {
@@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
goto error_exit;
}
+ if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE)
+ goto error_exit;
+
for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) {
/* Scan for 1st 3 unicoded bytes followed by word aligned magic value */
if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') {