From cd3f22ecddb6d63a7de8eec667da7efa678570b9 Mon Sep 17 00:00:00 2001 From: RichardG867 Date: Wed, 13 Apr 2022 11:26:28 -0300 Subject: [PATCH] bios_extract: Fix Phoenix-related segfaults --- bios_extract/src/lh5_extract.c | 2 +- bios_extract/src/phoenix.c | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bios_extract/src/lh5_extract.c b/bios_extract/src/lh5_extract.c index 2f6fa85..bd50ed5 100644 --- a/bios_extract/src/lh5_extract.c +++ b/bios_extract/src/lh5_extract.c @@ -543,7 +543,7 @@ LH5Decode(unsigned char *PackedBuffer, int PackedBufferSize, if (offset > n) return -1; - for (i = 0; i < length; i++) { + for (i = 0; (i < length) && (n < OutputBufferSize); i++) { OutputBuffer[n] = OutputBuffer[n - offset]; n++; } diff --git a/bios_extract/src/phoenix.c b/bios_extract/src/phoenix.c index 563b343..60c4e97 100644 --- a/bios_extract/src/phoenix.c +++ b/bios_extract/src/phoenix.c @@ -317,7 +317,7 @@ static int PhoenixModule(unsigned char *BIOSImage, int BIOSLength, int Offset) unsigned char *Buffer; unsigned char *ModuleData; uint32_t Packed; - int fd, ExtractResult; + int fd, ExtractResult, Remain; Module = (struct PhoenixModuleHeader *)(BIOSImage + Offset); @@ -396,15 +396,16 @@ valid_signature: FragLength = le32toh(Fragment->FragLength); printf("(%05X, %d bytes) ", FragOffset, FragLength); - if (Packed + FragLength > le32toh(Module->ExpLen)) { + if ((Packed + FragLength > le32toh(Module->ExpLen)) || ((FragOffset + 9 + FragLength) >= BIOSLength)) { printf("\nFragment too big at %05X for %05X\n", FragOffset, Offset); free(ModuleData); /* Assume this is an invalid fragment module */ goto BadFragment; } + Remain = BIOSLength - ((ModuleData + Packed) - BIOSImage); memcpy(ModuleData + Packed, BIOSImage + FragOffset + 9, - FragLength); + (Remain < FragLength) ? Remain : FragLength); Packed += FragLength; FragOffset = le32toh(Fragment->NextFrag) & (BIOSLength - 1);