TE: fix subtract with overflow in TE header parser (#452)

kkent030315 · dapa · web-flow · commit 8fda7a828993 · 2025-04-08T01:45:26.000-07:00
Co-authored-by: dapa &lt;dapa@github&gt;
diff --git a/src/pe/header.rs b/src/pe/header.rs
@@ -1221,8 +1221,16 @@ pub const TE_MAGIC: u16 = 0x5a56;
 impl TeHeader {
     /// Parse the TE header from the given bytes.
     pub fn parse(bytes: &[u8], offset: &mut usize) -> error::Result<Self> {
+        const HEADER_SIZE: usize = core::mem::size_of::<TeHeader>();
         let mut header: TeHeader = bytes.gread_with(offset, scroll::LE)?;
-        let adj_offset = header.stripped_size as u32 - core::mem::size_of::<TeHeader>() as u32;
+        let stripped_size = header.stripped_size as u32;
+        let adj_offset = stripped_size
+            .checked_sub(HEADER_SIZE as u32)
+            .ok_or_else(|| {
+                error::Error::Malformed(format!(
+                    "Stripped size ({stripped_size:#x}) is smaller than TE header size ({HEADER_SIZE:#x})",
+                ))
+            })?;
         header.fixup_header(adj_offset);
         Ok(header)
     }
@@ -1364,7 +1372,10 @@ pub fn machine_to_str(machine: u16) -> &'static str {
 
 #[cfg(test)]
 mod tests {
-    use crate::{error, pe::header::DosStub};
+    use crate::{
+        error,
+        pe::header::{DosStub, TeHeader},
+    };
 
     use super::{
         machine_to_str, DosHeader, Header, RichHeader, RichMetadata, COFF_MACHINE_X86, DOS_MAGIC,
@@ -1585,6 +1596,16 @@ mod tests {
         0x00,
     ];
 
+    /// Malformed very small TE with valid TE magic.
+    ///
+    /// https://github.com/m4b/goblin/issues/450
+    const MALFORMED_SMALL_TE: [u8; 58] = [
+        0x56, 0x5A, 0x52, 0x5A, 0x50, 0x00, 0x17, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x00,
+        0x10, 0x86, 0x02, 0x0C, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x1B, 0x01, 0x01, 0x00, 0x00,
+        0xFF, 0xB5, 0x00, 0x00, 0x00, 0x04, 0x34, 0x00, 0x00, 0xFF, 0xB5, 0x00, 0x00, 0x00, 0x04,
+        0x34, 0x15, 0x40, 0x13, 0x41, 0x0E, 0x10, 0x15, 0x40, 0x13, 0x41, 0x0E, 0x10,
+    ];
+
     const WELL_FORMED_WITH_RICH_HEADER: &[u8] =
         include_bytes!("../../tests/bins/pe/well_formed_import.exe.bin");
 
@@ -1713,6 +1734,20 @@ mod tests {
     }
 
     #[test]
+    fn parse_malformed_small_te() {
+        let mut offset = 0;
+        let header = TeHeader::parse(&MALFORMED_SMALL_TE, &mut offset);
+        assert_eq!(header.is_err(), true);
+        if let Err(error::Error::Malformed(msg)) = header {
+            assert_eq!(
+                msg,
+                "Stripped size (0x17) is smaller than TE header size (0x28)"
+            );
+        } else {
+            panic!("Expected a Malformed error but got {:?}", header);
+        }
+    }
+
     fn parse_with_omitted_dos_stub() {
         let header = Header::parse(&HEADER_WITH_OMITTED_DOS_STUB).unwrap();
 
