pe.tls.tlsdata.parse_with_opts - integer overflow allows bypassing checks and triggering out of bound read (#448)

BinFlip · web-flow · commit 6f3bdabf6f22 · 2025-04-06T01:34:48.000-07:00
Co-authored-by: BinFlip &lt;code@binflip.rs&gt;
diff --git a/src/pe/tls.rs b/src/pe/tls.rs
@@ -227,7 +227,15 @@ impl<'a> TlsData<'a> {
                         rva
                     ))
                 })?;
-            if offset + size as usize > bytes.len() {
+
+            let offset_end = offset.checked_add(size as usize).ok_or_else(|| {
+                error::Error::Malformed(format!(
+                    "tls start_address_of_raw_data ({:#x}) + size_of_raw_data ({:#x}) casues an integer overflow",
+                    offset, size
+                ))
+            })?;
+
+            if offset > bytes.len() || offset_end > bytes.len() {
                 return Err(error::Error::Malformed(format!(
                     "tls raw data offset ({:#x}) and size ({:#x}) greater than byte slice len ({:#x})",
                     offset, size, bytes.len()
