win: Don't attempt to read a nonexistent IMAGE_DIRECTORY_ENTRY_DEBUG

snapshot/win/pe_image_reader.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 125 matching lines @@
   } else {
     return ReadDebugDirectoryInformation<IMAGE_NT_HEADERS32>(
         uuid, age, pdbname);
   }
 }
 
 template <class NtHeadersType>
 bool PEImageReader::ReadDebugDirectoryInformation(UUID* uuid,
                                                   DWORD* age,
                                                   std::string* pdbname) const {
-  WinVMAddress nt_headers_address;
   NtHeadersType nt_headers;
-  if (!ReadNtHeaders(&nt_headers_address, &nt_headers))
+  if (!ReadNtHeaders(&nt_headers, nullptr))
     return false;
 
+  if (nt_headers.FileHeader.SizeOfOptionalHeader <
+          offsetof(decltype(nt_headers.OptionalHeader),
+                   DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]) +
+              sizeof(nt_headers.OptionalHeader
+                         .DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]) ||
+      nt_headers.OptionalHeader.NumberOfRvaAndSizes <=
+          IMAGE_DIRECTORY_ENTRY_DEBUG) {
+    return false;
+  }
+
   const IMAGE_DATA_DIRECTORY& data_directory =
       nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG];
   if (data_directory.VirtualAddress == 0 || data_directory.Size == 0)
     return false;
   IMAGE_DEBUG_DIRECTORY debug_directory;
   if (data_directory.Size % sizeof(debug_directory) != 0)
     return false;
   for (size_t offset = 0; offset < data_directory.Size;
        offset += sizeof(debug_directory)) {
     if (!CheckedReadMemory(Address() + data_directory.VirtualAddress + offset,
@@ skipping 34 matching lines @@
     // where the binary was linked. We have no idea what that was, so we just
     // assume ASCII.
     *pdbname = std::string(reinterpret_cast<char*>(&codeview->pdb_name[0]));
     return true;
   }
 
   return false;
 }
 
 template <class NtHeadersType>
-bool PEImageReader::ReadNtHeaders(WinVMAddress* nt_headers_address,
-                                  NtHeadersType* nt_headers) const {
+bool PEImageReader::ReadNtHeaders(NtHeadersType* nt_headers,
+                                  WinVMAddress* nt_headers_address) const {
   IMAGE_DOS_HEADER dos_header;
   if (!CheckedReadMemory(Address(), sizeof(IMAGE_DOS_HEADER), &dos_header)) {
     LOG(WARNING) << "could not read dos header of " << module_name_;
     return false;
   }
 
   if (dos_header.e_magic != IMAGE_DOS_SIGNATURE) {
     LOG(WARNING) << "invalid e_magic in dos header of " << module_name_;
     return false;
   }
 
-  *nt_headers_address = Address() + dos_header.e_lfanew;
+  WinVMAddress local_nt_headers_address = Address() + dos_header.e_lfanew;
   if (!CheckedReadMemory(
-          *nt_headers_address, sizeof(NtHeadersType), nt_headers)) {
+          local_nt_headers_address, sizeof(NtHeadersType), nt_headers)) {
     LOG(WARNING) << "could not read nt headers of " << module_name_;
     return false;
   }
 
   if (nt_headers->Signature != IMAGE_NT_SIGNATURE) {
     LOG(WARNING) << "invalid signature in nt headers of " << module_name_;
     return false;
   }
 
+  if (nt_headers_address)
+    *nt_headers_address = local_nt_headers_address;
+
   return true;
 }
 
 template <class NtHeadersType>
 bool PEImageReader::GetSectionByName(const std::string& name,
                                      IMAGE_SECTION_HEADER* section) const {
   if (name.size() > sizeof(section->Name)) {
     LOG(WARNING) << "supplied section name too long " << name;
     return false;
   }
 
+  NtHeadersType nt_headers;
   WinVMAddress nt_headers_address;
-  NtHeadersType nt_headers;
-  if (!ReadNtHeaders(&nt_headers_address, &nt_headers))
+  if (!ReadNtHeaders(&nt_headers, &nt_headers_address))
     return false;
 
   WinVMAddress first_section_address =
       nt_headers_address + offsetof(NtHeadersType, OptionalHeader) +
       nt_headers.FileHeader.SizeOfOptionalHeader;
   for (DWORD i = 0; i < nt_headers.FileHeader.NumberOfSections; ++i) {
     WinVMAddress section_address =
         first_section_address + sizeof(IMAGE_SECTION_HEADER) * i;
     if (!CheckedReadMemory(
             section_address, sizeof(IMAGE_SECTION_HEADER), section)) {
@@ skipping 29 matching lines @@
 // Explicit instantiations with the only 2 valid template arguments to avoid
 // putting the body of the function in the header.
 template bool PEImageReader::GetCrashpadInfo<process_types::internal::Traits32>(
     process_types::CrashpadInfo<process_types::internal::Traits32>*
         crashpad_info) const;
 template bool PEImageReader::GetCrashpadInfo<process_types::internal::Traits64>(
     process_types::CrashpadInfo<process_types::internal::Traits64>*
         crashpad_info) const;
 
 }  // namespace crashpad