pe.debug.POGOInfo.parse_with_opts - Possible integer overflow and out of bound memory access (#449)

Co-authored-by: BinFlip <[email protected]>

Author: BinFlip

src/pe/debug.rs

@@ -729,13 +729,28 @@ impl<'a> POGOInfo<'a> {
             return Ok(None);
         }
 
-        if offset + idd.size_of_data as usize - POGO_SIGNATURE_SIZE > bytes.len() {
+        if idd.size_of_data as usize <= POGO_SIGNATURE_SIZE {
             return Err(error::Error::Malformed(format!(
-                    "ImageDebugDirectory offset {:#x} and size {:#x} exceeds the bounds of the bytes size {:#x}",
-                    offset, idd.size_of_data, bytes.len()
+                    "ImageDebugDirectory size_of_data {:#x} is smaller or equal to POGO_SIGNATURE_SIZE {:#x}",
+                    idd.size_of_data, POGO_SIGNATURE_SIZE
                 )));
         }
-        let data = &bytes[offset..offset + idd.size_of_data as usize - POGO_SIGNATURE_SIZE];
+
+        let offset_end = offset.checked_add(idd.size_of_data as usize - POGO_SIGNATURE_SIZE).ok_or_else(|| {
+            error::Error::Malformed(format!(
+                "ImageDebugDirectory offset ({:#x}) and size ({:#x}) cause an integer overflow",
+                offset, idd.size_of_data as usize - POGO_SIGNATURE_SIZE
+            ))
+        })?;
+
+        if offset > bytes.len() || offset_end > bytes.len() {
+            return Err(error::Error::Malformed(format!(
+                    "ImageDebugDirectory offset_start {:#x} or offset_end {:#x} exceed the bounds of the bytes size {:#x}",
+                    offset, offset_end, bytes.len()
+                )));
+        }
+        
+        let data = &bytes[offset..offset_end];
         Ok(Some(POGOInfo { signature, data }))
     }