@@ -231,19 +231,25 @@ cl_error_t wwunpack(uint8_t *exe, uint32_t exesz, uint8_t *wwsect, struct cli_ex
231231 }
232232
233233 if (CL_SUCCESS == error ) {
234- if (pe + 6 > exesz || pe + 7 > exesz || pe + 0x28 > exesz ||
235- pe + 0x50 > exesz || pe + 0x14 > exesz )
236- return CL_EFORMAT ;
237234
238235 exe [pe + 6 ] = (uint8_t )scount ;
239236 exe [pe + 7 ] = (uint8_t )(scount >> 8 );
240- if (!CLI_ISCONTAINED (wwsect , sects [scount ].rsz , wwsect + 0x295 , 4 ))
237+
238+ if (!CLI_ISCONTAINED (wwsect , sects [scount ].rsz , wwsect + 0x295 , 4 )) {
239+ cli_dbgmsg ("WWPack: unpack memory address out of bounds.\n" );
240+ return CL_EFORMAT ;
241+ }
242+ cli_writeint32 (& exe [pe + 0x28 ], cli_readint32 (wwsect + 0x295 ) + sects [scount ].rva + 0x299 );
243+
244+ if (!CLI_ISCONTAINED (exe , exesz , exe + pe + 0x50 , 4 )) {
241245 cli_dbgmsg ("WWPack: unpack memory address out of bounds.\n" );
242- else
243- cli_writeint32 ( & exe [ pe + 0x28 ], cli_readint32 ( wwsect + 0x295 ) + sects [ scount ]. rva + 0x299 );
246+ return CL_EFORMAT ;
247+ }
244248 cli_writeint32 (& exe [pe + 0x50 ], cli_readint32 (& exe [pe + 0x50 ]) - sects [scount ].vsz );
245249
250+ // Bounds check not required here, because we know exesz > pe + 0x50 + 4
246251 structs = & exe [(0xffff & cli_readint32 (& exe [pe + 0x14 ])) + pe + 0x18 ];
252+
247253 for (i = 0 ; i < scount ; i ++ ) {
248254 if (!CLI_ISCONTAINED (exe , exesz , structs , 0x28 )) {
249255 cli_dbgmsg ("WWPack: structs pointer out of bounds\n" );
0 commit comments