COFF: fix subtract with overflow in COFF header parser (#453)

kkent030315 · dapa · web-flow · commit f06b768709d8 · 2025-04-09T00:37:26.000-07:00
Co-authored-by: dapa &lt;dapa@github&gt;
diff --git a/src/pe/header.rs b/src/pe/header.rs
@@ -841,7 +841,12 @@ impl CoffHeader {
             + symbol::SymbolTable::size(self.number_of_symbol_table as usize);
 
         let length_field_size = core::mem::size_of::<u32>();
-        let length = bytes.pread_with::<u32>(offset, scroll::LE)? as usize - length_field_size;
+        let length = bytes
+            .pread_with::<u32>(offset, scroll::LE)?
+            .checked_sub(length_field_size as u32)
+            .ok_or(error::Error::Malformed(format!(
+                "COFF length field size ({length_field_size:#x}) is larger than the parsed length value"
+            )))? as usize;
 
         // The offset needs to be advanced in order to read the strings.
         offset += length_field_size;
@@ -1374,7 +1379,10 @@ pub fn machine_to_str(machine: u16) -> &'static str {
 mod tests {
     use crate::{
         error,
-        pe::header::{DosStub, TeHeader},
+        pe::{
+            header::{DosStub, TeHeader},
+            Coff,
+        },
     };
 
     use super::{
@@ -1596,6 +1604,14 @@ mod tests {
         0x00,
     ];
 
+    /// An invalid small COFF object file
+    ///
+    /// https://github.com/m4b/goblin/issues/450
+    const INVALID_COFF_OBJECT: [u8; 20] = [
+        0x4C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x0F, 0x00, 0xFF, 0x80,
+    ];
+
     /// Malformed very small TE with valid TE magic.
     ///
     /// https://github.com/m4b/goblin/issues/450
@@ -1748,6 +1764,20 @@ mod tests {
         }
     }
 
+    #[test]
+    fn parse_invalid_small_coff() {
+        let header = Coff::parse(&INVALID_COFF_OBJECT);
+        assert_eq!(header.is_err(), true);
+        if let Err(error::Error::Malformed(msg)) = header {
+            assert_eq!(
+                msg,
+                "COFF length field size (0x4) is larger than the parsed length value"
+            );
+        } else {
+            panic!("Expected a Malformed error but got {:?}", header);
+        }
+    }
+
     fn parse_with_omitted_dos_stub() {
         let header = Header::parse(&HEADER_WITH_OMITTED_DOS_STUB).unwrap();
 
