Fix header bounds validation in PE page hash calculation

olszomal · mtrojnar · commit 2a5409b7c4b6 · 2026-02-09T16:15:21.000+01:00
diff --git a/pe.c b/pe.c
@@ -1047,7 +1047,7 @@ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype)
         return NULL;  /* FAILED */
     }
     off = ctx->pe_ctx->header_size + 160 + (size_t)ctx->pe_ctx->pe32plus * 16;
-    if (hdrsize < off) {
+    if (hdrsize < off || hdrsize > filebound) {
         BIO_free_all(bhash);
         return NULL;  /* FAILED: header too small */
     }

Original file line number	Diff line number	Diff line change
`@@ -1047,7 +1047,7 @@ static u_char pe_page_hash_calc(int rphlen, FILE_FORMAT_CTX *ctx, int phtype)`
`1047`	`1047`	`return NULL; /* FAILED */`
`1048`	`1048`	`}`
`1049`	`1049`	`off = ctx->pe_ctx->header_size + 160 + (size_t)ctx->pe_ctx->pe32plus * 16;`
`1050`		`- if (hdrsize < off) {`
	`1050`	`+ if (hdrsize < off \|\| hdrsize > filebound) {`
`1051`	`1051`	`BIO_free_all(bhash);`
`1052`	`1052`	`return NULL; /* FAILED: header too small */`
`1053`	`1053`	`}`