TE: fix subtract with overflow in TE header parser

kkent030315 · kkent030315 · commit 8a901e29c894 · 2025-03-26T09:43:38.000+09:00
diff --git a/src/pe/header.rs b/src/pe/header.rs
@@ -1209,8 +1209,16 @@ pub const TE_MAGIC: u16 = 0x5a56;
 impl TeHeader {
     /// Parse the TE header from the given bytes.
     pub fn parse(bytes: &[u8], offset: &mut usize) -> error::Result<Self> {
+        const HEADER_SIZE: usize = core::mem::size_of::<TeHeader>();
         let mut header: TeHeader = bytes.gread_with(offset, scroll::LE)?;
-        let adj_offset = header.stripped_size as u32 - core::mem::size_of::<TeHeader>() as u32;
+        let stripped_size = header.stripped_size as u32;
+        let adj_offset = stripped_size
+            .checked_sub(HEADER_SIZE as u32)
+            .ok_or_else(|| {
+                error::Error::Malformed(format!(
+                    "Stripped size ({stripped_size:#x}) is smaller than TE header size ({HEADER_SIZE:#x})",
+                ))
+            })?;
         header.fixup_header(adj_offset);
         Ok(header)
     }
@@ -1352,7 +1360,10 @@ pub fn machine_to_str(machine: u16) -> &'static str {
 
 #[cfg(test)]
 mod tests {
-    use crate::{error, pe::header::DosStub};
+    use crate::{
+        error,
+        pe::header::{DosStub, TeHeader},
+    };
 
     use super::{
         machine_to_str, Header, RichHeader, RichMetadata, COFF_MACHINE_X86, DOS_MAGIC, PE_MAGIC,
@@ -1534,6 +1545,16 @@ mod tests {
         0x00,
     ];
 
+    /// Malformed very small TE with valid TE magic.
+    ///
+    /// https://github.com/m4b/goblin/issues/450
+    const MALFORMED_SMALL_TE: [u8; 58] = [
+        0x56, 0x5A, 0x52, 0x5A, 0x50, 0x00, 0x17, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x00,
+        0x10, 0x86, 0x02, 0x0C, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x1B, 0x01, 0x01, 0x00, 0x00,
+        0xFF, 0xB5, 0x00, 0x00, 0x00, 0x04, 0x34, 0x00, 0x00, 0xFF, 0xB5, 0x00, 0x00, 0x00, 0x04,
+        0x34, 0x15, 0x40, 0x13, 0x41, 0x0E, 0x10, 0x15, 0x40, 0x13, 0x41, 0x0E, 0x10,
+    ];
+
     #[test]
     fn crss_header() {
         let header = Header::parse(&&CRSS_HEADER[..]).unwrap();
@@ -1656,4 +1677,19 @@ mod tests {
         let header_result = RichHeader::parse(&CORRUPTED_RICH_HEADER);
         assert_eq!(header_result.is_err(), true);
     }
+
+    #[test]
+    fn parse_malformed_small_te() {
+        let mut offset = 0;
+        let header = TeHeader::parse(&MALFORMED_SMALL_TE, &mut offset);
+        assert_eq!(header.is_err(), true);
+        if let Err(error::Error::Malformed(msg)) = header {
+            assert_eq!(
+                msg,
+                "Stripped size (0x17) is smaller than TE header size (0x28)"
+            );
+        } else {
+            panic!("Expected a Malformed error but got {:?}", header);
+        }
+    }
 }
