Open PeterMatula opened 6 years ago
I analyzed the problem. PeUpxStub<bits>::fixSizeOfSections()
in src/unpackertool/plugins/upx/pe/pe_upx_stub.cpp
contains the following line:
478 _newPeFile->peHeader().setVirtualAddress(_upx0Sect->getSecSeg()->getIndex() + 1, _newPeFile->peHeader().getVirtualAddress(_upx0Sect->getSecSeg()->getIndex() + 1) + diff);
The _newPeFile->peHeader().setVirtualAddress()
call calls PeHeaderT<x>::getVirtualAddress()
, which comes from pelib/include/pelib/PeHeader.h
:
2195 template<int x>
2196 dword PeHeaderT<x>::getVirtualAddress(word wSectionnr) const
2197 {
2198 return m_vIsh[wSectionnr].VirtualAddress;
2199 }
In that call, the value of wSectionnr
is 4
. However, m_vIsh.size()
is also 4
, which causes an out-of-bounds read from invalid memory (the only valid indexes are 0
through 3
).
Unpacking of this file crashes.
Command:
Output:
First problem in valgrind: