From effb5c7c1e3df5e709e0fa95d7dadb0969855cf8 Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Mon, 6 Oct 2014 16:32:03 +0200
Subject: Windows vulnerability fix : finally make bootloader decompressor more
 robust and secure by adding multiple checks and validation code. This solves
 the issue found by the Open Crypt Audit project. Note that we had to switch
 to the slow implementation of the function decode in order to keep the size
 of the decompressor code under 2K.

---
 src/Boot/Windows/BootSector.asm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/Boot/Windows/BootSector.asm')

diff --git a/src/Boot/Windows/BootSector.asm b/src/Boot/Windows/BootSector.asm
index 74e8381b..1daaadac 100644
--- a/src/Boot/Windows/BootSector.asm
+++ b/src/Boot/Windows/BootSector.asm
@@ -134,6 +134,8 @@ checksum_ok:
 	push dx
 	
 	; Decompress boot loader
+	mov cx, word ptr [start + TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET]
+	push cx																		; Compressed data size
 	push TC_BOOT_LOADER_COMPRESSED_BUFFER_OFFSET + TC_GZIP_HEADER_SIZE			; Compressed data
 	push TC_MAX_BOOT_LOADER_DECOMPRESSED_SIZE									; Output buffer size
 	push TC_BOOT_LOADER_DECOMPRESSOR_MEMORY_SIZE + TC_COM_EXECUTABLE_OFFSET		; Output buffer
@@ -145,7 +147,7 @@ checksum_ok:
 	retf
 decompressor_ret:
 
-	add sp, 6
+	add sp, 8
 	pop dx
 	
 	; Restore boot sector segment
-- 
cgit v1.2.3