mmcmp.c: added a sanity check to 16bit compressed blocks' decompression

sezero · sezero · commit 56a667edd5c2 · 2022-01-29T08:56:56.000+03:00
diff --git a/src/mmcmp.cpp b/src/mmcmp.cpp
@@ -156,7 +156,7 @@ BOOL MMCMP_Unpack(LPCBYTE *ppMemFile, LPDWORD pdwMemLength)
 {
 	DWORD dwMemLength;
 	LPCBYTE lpMemFile;
-	LPBYTE pBuffer;
+	LPBYTE pBuffer, pEnd;
 	LPMMCMPFILEHEADER pmfh;
 	LPMMCMPHEADER pmmh;
 	const DWORD *pblk_table;
@@ -186,6 +186,7 @@ BOOL MMCMP_Unpack(LPCBYTE *ppMemFile, LPDWORD pdwMemLength)
 	dwFileSize = pmmh->filesize;
 	if ((pBuffer = (LPBYTE)GlobalAllocPtr(GHND, (dwFileSize + 31) & ~15)) == NULL)
 		return FALSE;
+	pEnd = pBuffer + dwFileSize;
 	pblk_table = (const DWORD *)(lpMemFile+pmmh->blktable);
 	for (UINT nBlock=0; nBlock<pmmh->nblocks; nBlock++)
 	{
@@ -302,8 +303,10 @@ BOOL MMCMP_Unpack(LPCBYTE *ppMemFile, LPDWORD pdwMemLength)
 					{
 						newval ^= 0x8000;
 					}
-					pDest[dwPos++] = (BYTE) (((WORD)newval) & 0xff);
-					pDest[dwPos++] = (BYTE) (((WORD)newval) >> 8);
+					if (pEnd - pDest < 2) goto err;
+					dwPos += 2;
+					*pDest++ = (BYTE) (((WORD)newval) & 0xff);
+					*pDest++ = (BYTE) (((WORD)newval) >> 8);
 				}
 				if (dwPos >= dwSize)
 				{

Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,7 @@ BOOL MMCMP_Unpack(LPCBYTE *ppMemFile, LPDWORD pdwMemLength)`
`156`	`156`	`{`
`157`	`157`	`DWORD dwMemLength;`
`158`	`158`	`LPCBYTE lpMemFile;`
`159`		`- LPBYTE pBuffer;`
	`159`	`+ LPBYTE pBuffer, pEnd;`
`160`	`160`	`LPMMCMPFILEHEADER pmfh;`
`161`	`161`	`LPMMCMPHEADER pmmh;`
`162`	`162`	`const DWORD *pblk_table;`
`@@ -186,6 +186,7 @@ BOOL MMCMP_Unpack(LPCBYTE *ppMemFile, LPDWORD pdwMemLength)`
`186`	`186`	`dwFileSize = pmmh->filesize;`
`187`	`187`	`if ((pBuffer = (LPBYTE)GlobalAllocPtr(GHND, (dwFileSize + 31) & ~15)) == NULL)`
`188`	`188`	`return FALSE;`
	`189`	`+ pEnd = pBuffer + dwFileSize;`
`189`	`190`	`pblk_table = (const DWORD *)(lpMemFile+pmmh->blktable);`
`190`	`191`	`for (UINT nBlock=0; nBlock<pmmh->nblocks; nBlock++)`
`191`	`192`	`{`
`@@ -302,8 +303,10 @@ BOOL MMCMP_Unpack(LPCBYTE *ppMemFile, LPDWORD pdwMemLength)`
`302`	`303`	`{`
`303`	`304`	`newval ^= 0x8000;`
`304`	`305`	`}`
`305`		`- pDest[dwPos++] = (BYTE) (((WORD)newval) & 0xff);`
`306`		`- pDest[dwPos++] = (BYTE) (((WORD)newval) >> 8);`
	`306`	`+ if (pEnd - pDest < 2) goto err;`
	`307`	`+ dwPos += 2;`
	`308`	`+ *pDest++ = (BYTE) (((WORD)newval) & 0xff);`
	`309`	`+ *pDest++ = (BYTE) (((WORD)newval) >> 8);`
`307`	`310`	`}`
`308`	`311`	`if (dwPos >= dwSize)`
`309`	`312`	`{`