phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-04-17 09:33:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: M2 readString uint32 overflow in bounds check

Browse source 
offset + length was computed in uint32_t before comparing to size_t.
A crafted M2 with offset=0xFFFFFFFF, length=2 wraps to 1 in uint32,
passing the check and reading out of bounds. Now uses size_t arithmetic,
matching the readArray fix from an earlier round.
This commit is contained in:
Kelsi 2026-03-29 20:41:56 -07:00
parent fa1643dc90
commit 16aaf58198
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/pipeline/m2_loader.cpp
View file

@ -364,7 +364,10 @@ std::vector<T> readArray(const std::vector<uint8_t>& data, uint32_t offset, uint
}
std::string readString(const std::vector<uint8_t>& data, uint32_t offset, uint32_t length) {
if (offset + length > data.size()) {
// Use size_t arithmetic to prevent uint32 wraparound (same fix as readArray).
// A crafted M2 with offset=0xFFFFFFFF, length=2 would wrap to 1 in uint32,
// passing the check and reading out of bounds.
if (static_cast<size_t>(offset) + static_cast<size_t>(length) > data.size()) {
return "";
}