pe: Fix a buffer overflow when SizeOfRawData > VirtualSize - efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

diff options

author	Chris Coulson <chris.coulson@canonical.com>	2022-05-03 15:41:00 +0200
committer	Peter Jones <pjones@redhat.com>	2022-05-24 16:28:35 -0400
commit	e99bdbb827a50cde019393d3ca1e89397db221a7 (patch)
tree	2394f33a580cebc6f9e2093bb23fc46096b612f2 /Cryptlib/OpenSSL/crypto/objects/obj_dat.h
parent	77144e5a404df89b45941bfc54fd2f59e0ee607b (diff)
download	efi-boot-shim-e99bdbb827a50cde019393d3ca1e89397db221a7.tar.gz efi-boot-shim-e99bdbb827a50cde019393d3ca1e89397db221a7.zip

pe: Fix a buffer overflow when SizeOfRawData > VirtualSize

During image loading, the size of the destination buffer for the image is determined by the SizeOfImage field in the optional header. The start and end virtual addresses of each section, as determined by each section's VirtualAddress and VirtualSize fields, are bounds checked against the allocated buffer. However, the amount of data copied to the destination buffer is determined by the section's SizeOfRawData filed. If this is larger than the VirtualSize, then the copy can overflow the destination buffer. Fix this by limiting the amount of data to copy to the section's VirtualSize. In the case where a section has SizeOfRawData > VirtualSize, the excess data is discarded. This fixes CVE-2022-28737 Signed-off-by: Chris Coulson <chris.coulson@canonical.com>

Diffstat (limited to 'Cryptlib/OpenSSL/crypto/objects/obj_dat.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: