summaryrefslogtreecommitdiff
path: root/source3/printing
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2003-10-29 21:28:00 +0000
committerJeremy Allison <jra@samba.org>2003-10-29 21:28:00 +0000
commit231124ced9237cdbc3732a722c8f373ee760927b (patch)
tree29ef77ec225223bd9339ec3826a228c746ab140e /source3/printing
parentfdb2f57f62b776118156f266b8273f509ea60484 (diff)
downloadsamba-231124ced9237cdbc3732a722c8f373ee760927b.tar.gz
samba-231124ced9237cdbc3732a722c8f373ee760927b.tar.bz2
samba-231124ced9237cdbc3732a722c8f373ee760927b.zip
Fixes to check for wraps which could cause coredumps.
Jeremy. (This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
Diffstat (limited to 'source3/printing')
-rw-r--r--source3/printing/nt_printing.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 5b5b5885ab..908bd9c887 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi)
static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor)
{
int i;
- char *buf;
+ char *buf = NULL;
ssize_t byte_count;
if ((buf=malloc(PE_HEADER_SIZE)) == NULL) {
@@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* The header may be a PE (Portable Executable) or an NE (New Executable) */
if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) {
- int num_sections;
- int section_table_bytes;
+ unsigned int num_sections;
+ unsigned int section_table_bytes;
if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) {
DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n",
@@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
/* get the section table */
num_sections = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS);
section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE;
+ if (section_table_bytes == 0)
+ goto error_exit;
+
SAFE_FREE(buf);
if ((buf=malloc(section_table_bytes)) == NULL) {
DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n",
@@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE;
if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) {
- int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
- int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+ unsigned int section_pos = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
+ unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+
+ if (section_bytes == 0)
+ goto error_exit;
SAFE_FREE(buf);
if ((buf=malloc(section_bytes)) == NULL) {
@@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
goto error_exit;
}
+ if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE)
+ goto error_exit;
+
for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) {
/* Scan for 1st 3 unicoded bytes followed by word aligned magic value */
if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') {