From 5f64876076e6d60f4cabc62892a2d857d6e3b02f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Mon, 9 Jul 2012 10:17:13 -0400 Subject: Cryptlib update --- Cryptlib/Pk/CryptAuthenticode.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'Cryptlib/Pk/CryptAuthenticode.c') diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c index a1f8c58e..a4f62b22 100644 --- a/Cryptlib/Pk/CryptAuthenticode.c +++ b/Cryptlib/Pk/CryptAuthenticode.c @@ -1,6 +1,14 @@ /** @file Authenticode Portable Executable Signature Verification over OpenSSL. + Caution: This module requires additional review when modified. + This library will have external input - signature (e.g. PE/COFF Authenticode). + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for + data structure. + Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -26,6 +34,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. If AuthData is NULL, then return FALSE. If ImageHash is NULL, then return FALSE. + Caution: This function may receive untrusted input. + PE/COFF Authenticode is external input, so this function will do basic check for + Authenticode data structure. + @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed PE/COFF image to be verified. @param[in] DataSize Size of the Authenticode Signature in bytes. -- cgit v1.2.3