From 0866a1996b6bb1b31fab38115845f4ed16a73c74 Mon Sep 17 00:00:00 2001
From: "Markus F.X.J. Oberhumer" <markus@oberhumer.com>
Date: Sun, 13 Mar 2005 16:43:30 +0000
Subject: [PATCH] Added two checks for buffer overflows as suggested by
 Giovanni Bajo.

committer: mfx <mfx> 1110732210 +0000
---
 src/p_w32pe.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/p_w32pe.cpp b/src/p_w32pe.cpp
index 0c0538f8..f6f40717 100644
--- a/src/p_w32pe.cpp
+++ b/src/p_w32pe.cpp
@@ -1697,6 +1697,8 @@ void PackW32Pe::pack(OutputFile *fo)
             jc = isection[ic].vsize;
         if (isection[ic].vsize == 0) // hack for some tricky programs - may this break other progs?
             jc = isection[ic].vsize = isection[ic].size;
+        if (isection[ic].vaddr + jc > ibuf.getSize())
+            throwInternalError("buffer too small 1");
         fi->readx(ibuf + isection[ic].vaddr,jc);
         jc += isection[ic].rawdataptr;
     }
@@ -1748,6 +1750,8 @@ void PackW32Pe::pack(OutputFile *fo)
     unsigned newvsize = (isection[objs-1].vaddr + isection[objs-1].vsize + oam1) &~ oam1;
 
     //fprintf(stderr,"newvsize=%x objs=%d\n",newvsize,objs);
+    if (newvsize + soimport + sorelocs > ibuf.getSize())
+         throwInternalError("buffer too small 2");
     memcpy(ibuf+newvsize,oimport,soimport);
     memcpy(ibuf+newvsize+soimport,orelocs,sorelocs);