mirror/86Box-bios-tools
1
0
Fork 0
mirror of https://github.com/86Box/bios-tools.git synced 2026-02-22 01:25:34 -07:00
Code Issues Packages Projects Releases Wiki Activity

bios_extract: Fix Intel Phoenix segfault with module overflow (N440BX strings - phoedeco can't handle this either)

Browse Source
This commit is contained in:
RichardG867
2022-08-21 17:37:13 -03:00
parent bba8345074
commit 0a5f480184
1 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
bios_extract/src/phoenix.c
View File

@@ -318,7 +318,7 @@ static int PhoenixModule(unsigned char *BIOSImage, int BIOSLength, int Offset)
unsigned char *Buffer;
unsigned char *ModuleData;
uint32_t Packed;
int fd, ExtractResult, Remain;
int fd, ExtractResult;
Module = (struct PhoenixModuleHeader *)(BIOSImage + Offset);
@@ -351,13 +351,13 @@ static int PhoenixModule(unsigned char *BIOSImage, int BIOSLength, int Offset)
(Module->Signature[1] == 0x31) && (Module->Signature[2] == 0x31)) {
struct PhoenixModuleHeader NewHeader;
memcpy(&NewHeader, Module, sizeof(struct PhoenixModuleHeader));
NewHeader.ExpLen = Module->ExpLen & 0x00ffffff;
NewHeader.FragLength = Module->FragLength & 0x00ffffff;
NewHeader.ExpLen = Module->ExpLen & le32toh(0x00ffffff);
NewHeader.FragLength = Module->FragLength & le32toh(0x00ffffff);
Module = &NewHeader;
}
valid_signature:
if ((Offset + Module->HeadLen + 4 + le32toh(Module->FragLength)) >
if ((Offset + Module->HeadLen + le32toh(Module->FragLength)) >
BIOSLength) {
fprintf(stderr, "Error: Module overruns buffer at 0x%05X\n",
Offset);
@@ -408,17 +408,16 @@ valid_signature:
FragLength = le32toh(Fragment->FragLength);
printf("(%05X, %d bytes) ", FragOffset, FragLength);
if ((Packed + FragLength > le32toh(Module->ExpLen)) || ((FragOffset + 9 + FragLength) >= BIOSLength)) {
if ((((uint64_t) Packed + FragLength) > le32toh(Module->ExpLen)) || (((uint64_t) FragOffset + 9 + FragLength) > BIOSLength)) {
printf("\nFragment too big at %05X for %05X\n",
FragOffset, Offset);
free(ModuleData);
/* Assume this is an invalid fragment module */
goto BadFragment;
}
Remain = BIOSLength - ((ModuleData + Packed) - BIOSImage);
memcpy(ModuleData + Packed, BIOSImage + FragOffset + 9,
(Remain < FragLength) ? Remain : FragLength);
//SetRemainder(FragOffset + 9, (Remain < FragLength) ? Remain : FragLength, FALSE);
FragLength);
//SetRemainder(FragOffset + 9, FragLength, FALSE);
Packed += FragLength;
FragOffset =
le32toh(Fragment->NextFrag) & (BIOSLength - 1);