Merge pull request #585 from orbisai0security/fix-v-004-memcpy-zero-size-validation
Some checks failed
vs2022-ci / win-amd64-build (debug, x64) (push) Has been cancelled
vs2022-ci / win-amd64-build (release, x64) (push) Has been cancelled
vs2022-ci / Deploy release (push) Has been cancelled

fix: scriptenginefunctionmemcpy exposes a kernel-mod... in...
This commit is contained in:
Sina Karvandi 2026-05-17 12:40:13 +02:00 committed by GitHub
commit 13ccf7c9b0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -325,6 +325,17 @@ ScriptEngineFunctionMemcpy(UINT64 Destination, UINT64 Source, UINT32 Num, BOOL *
UINT64 PrevReadLen = 0;
BYTE MovingBuffer[DebuggerScriptEngineMemcpyMovingBufferSize] = {0};
//
// Reject zero-length copies: a Num of 0 would pass address-range
// validation vacuously (checking 0 bytes at any mapped page succeeds),
// which could be abused as a kernel address-mapping oracle.
//
if (Num == 0)
{
*HasError = TRUE;
return;
}
#ifdef SCRIPT_ENGINE_USER_MODE
//