From 231124ced9237cdbc3732a722c8f373ee760927b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 29 Oct 2003 21:28:00 +0000
Subject: Fixes to check for wraps which could cause coredumps. Jeremy. (This
 used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)

---
 source3/printing/nt_printing.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'source3/printing/nt_printing.c')

diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 5b5b5885ab..908bd9c887 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -728,7 +728,7 @@ const char *get_short_archi(const char *long_archi)
 static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32 *minor)
 {
 	int     i;
-	char    *buf;
+	char    *buf = NULL;
 	ssize_t byte_count;
 
 	if ((buf=malloc(PE_HEADER_SIZE)) == NULL) {
@@ -768,8 +768,8 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
 
 	/* The header may be a PE (Portable Executable) or an NE (New Executable) */
 	if (IVAL(buf,PE_HEADER_SIGNATURE_OFFSET) == PE_HEADER_SIGNATURE) {
-		int num_sections;
-		int section_table_bytes;
+		unsigned int num_sections;
+		unsigned int section_table_bytes;
 		
 		if (SVAL(buf,PE_HEADER_MACHINE_OFFSET) != PE_HEADER_MACHINE_I386) {
 			DEBUG(3,("get_file_version: PE file [%s] wrong machine = 0x%x\n",
@@ -783,6 +783,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
 		/* get the section table */
 		num_sections        = SVAL(buf,PE_HEADER_NUMBER_OF_SECTIONS);
 		section_table_bytes = num_sections * PE_HEADER_SECT_HEADER_SIZE;
+		if (section_table_bytes == 0)
+			goto error_exit;
+
 		SAFE_FREE(buf);
 		if ((buf=malloc(section_table_bytes)) == NULL) {
 			DEBUG(0,("get_file_version: PE file [%s] section table malloc failed bytes = %d\n",
@@ -801,8 +804,11 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
 			int sec_offset = i * PE_HEADER_SECT_HEADER_SIZE;
 
 			if (strcmp(".rsrc", &buf[sec_offset+PE_HEADER_SECT_NAME_OFFSET]) == 0) {
-				int section_pos   = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
-				int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+				unsigned int section_pos   = IVAL(buf,sec_offset+PE_HEADER_SECT_PTR_DATA_OFFSET);
+				unsigned int section_bytes = IVAL(buf,sec_offset+PE_HEADER_SECT_SIZE_DATA_OFFSET);
+
+				if (section_bytes == 0)
+					goto error_exit;
 
 				SAFE_FREE(buf);
 				if ((buf=malloc(section_bytes)) == NULL) {
@@ -824,6 +830,9 @@ static int get_file_version(files_struct *fsp, char *fname,uint32 *major, uint32
 					goto error_exit;
 				}
 
+				if (section_bytes < VS_VERSION_INFO_UNICODE_SIZE)
+					goto error_exit;
+
 				for (i=0; i<section_bytes-VS_VERSION_INFO_UNICODE_SIZE; i++) {
 					/* Scan for 1st 3 unicoded bytes followed by word aligned magic value */
 					if (buf[i] == 'V' && buf[i+1] == '\0' && buf[i+2] == 'S') {
-- 
cgit