diff options
author | Jeremy Allison <jra@samba.org> | 2003-10-29 21:28:00 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-10-29 21:28:00 +0000 |
commit | 231124ced9237cdbc3732a722c8f373ee760927b (patch) | |
tree | 29ef77ec225223bd9339ec3826a228c746ab140e /source3/printing | |
parent | fdb2f57f62b776118156f266b8273f509ea60484 (diff) | |
download | samba-231124ced9237cdbc3732a722c8f373ee760927b.tar.gz samba-231124ced9237cdbc3732a722c8f373ee760927b.tar.bz2 samba-231124ced9237cdbc3732a722c8f373ee760927b.zip |
Fixes to check for wraps which could cause coredumps.
Jeremy.
(This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
Diffstat (limited to 'source3/printing')
-rw-r--r-- | source3/printing/nt_printing.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 5b5b5885ab..908bd9c887 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi) static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor) { int i; - char *buf; + char *buf = NULL; ssize_t byte_count; if ((buf=malloc(PE_HEADER_SIZE)) == NULL) { @@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 /* The header may be a PE (Portable Executable) or an NE (New Executable) */ if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) { - int num_sections; - int section_table_bytes; + unsigned int num_sections; + unsigned int section_table_bytes; if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) { DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n", @@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 /* get the section table */ num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS); section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE; + if (section_table_bytes == 0) + goto error_exit; + SAFE_FREE(buf); if ((buf=malloc(section_table_bytes)) == NULL) { DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n", @@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE; if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) { - int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET); - int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET); + unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET); + unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET); + + if (section_bytes == 0) + goto error_exit; SAFE_FREE(buf); if ((buf=malloc(section_bytes)) == NULL) { @@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 goto error_exit; } + if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE) + goto error_exit; + for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) { /* Scan for 1st 3 unicoded bytes followed by word aligned magic value */ if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') { |