MS14-066 schannel.dll diff (Windows 2003 SP2)

[Nytro]

MS14-066 schannel.dll diff (Windows 2003 SP2)

@@ -29399,13 +29399,13 @@
 int __stdcall SPVerifySignature(HCRYPTPROV hProv, int a2, ALG_ID Algid, BYTE *pbData, DWORD dwDataLen, BYTE *pbEncoded, DWORD cbEncoded, int a8)
 {
   signed int v8; // esi@4
-  BOOL v9; // eax@8
+  BOOL v9; // eax@9
   DWORD v10; // eax@14
-  DWORD pcbStructInfo; // [sp+Ch] [bp-3Ch]@11
+  DWORD pcbStructInfo; // [sp+Ch] [bp-3Ch]@13
   HCRYPTKEY phKey; // [sp+10h] [bp-38h]@1
   HCRYPTHASH phHash; // [sp+14h] [bp-34h]@1
   BYTE *pbSignature; // [sp+18h] [bp-30h]@1
-  char pvStructInfo; // [sp+1Ch] [bp-2Ch]@11
+  char pvStructInfo; // [sp+1Ch] [bp-2Ch]@13

   phKey = 0;
   phHash = 0;
@@ -29416,39 +29416,40 @@
     if ( !pbSignature )
     {
       v8 = -2146893056;
-      goto LABEL_18;
+      goto LABEL_20;
     }
-    if ( !CryptImportKey(hProv, *(const BYTE **)a2, *(_DWORD *)(a2 + 4), 0, 0, &phKey)
-      || !CryptCreateHash(hProv, Algid, 0, 0, &phHash) )
-      goto LABEL_12;
-    v9 = a8 ? CryptHashData(phHash, pbData, dwDataLen, 0) : CryptSetHashParam(phHash, 2u, pbData, 0);
-    if ( !v9 )
-      goto LABEL_12;
-    if ( *(_DWORD *)(*(_DWORD *)a2 + 4) == 8704 )
+    if ( CryptImportKey(hProv, *(const BYTE **)a2, *(_DWORD *)(a2 + 4), 0, 0, &phKey)
+      && CryptCreateHash(hProv, Algid, 0, 0, &phHash) )
     {
-      pcbStructInfo = 40;
-      if ( !CryptDecodeObject(1u, (LPCSTR)0x28, pbEncoded, cbEncoded, 0, &pvStructInfo, &pcbStructInfo) )
+      v9 = a8 ? CryptHashData(phHash, pbData, dwDataLen, 0) : CryptSetHashParam(phHash, 2u, pbData, 0);
+      if ( v9 )
       {
-LABEL_12:
-        GetLastError();
-        v8 = 3;
-        goto LABEL_18;
+        if ( *(_DWORD *)(*(_DWORD *)a2 + 4) != 8704 )
+        {
+          ReverseMemCopy((unsigned int)pbSignature, (int)pbEncoded, cbEncoded);
+LABEL_18:
+          v8 = CryptVerifySignatureA(phHash, pbSignature, cbEncoded, phKey, 0, 0) != 0 ? 0 : -2147483391;
+          goto LABEL_20;
+        }
+        pcbStructInfo = 40;
+        if ( CryptDecodeObject(1u, (LPCSTR)0x28, pbEncoded, cbEncoded, 0, &pvStructInfo, &pcbStructInfo) )
+        {
+          v10 = pcbStructInfo;
+          if ( pcbStructInfo > cbEncoded )
+            goto LABEL_15;
+          qmemcpy(pbSignature, &pvStructInfo, pcbStructInfo);
+          cbEncoded = v10;
+          goto LABEL_18;
+        }
       }
-      v10 = pcbStructInfo;
-      qmemcpy(pbSignature, &pvStructInfo, pcbStructInfo);
-      cbEncoded = v10;
     }
-    else
-    {
-      ReverseMemCopy((unsigned int)pbSignature, (int)pbEncoded, cbEncoded);
-    }
-    v8 = CryptVerifySignatureA(phHash, pbSignature, cbEncoded, phKey, 0, 0) != 0 ? 0 : -2147483391;
-  }
-  else
-  {
-    v8 = -1;
+    GetLastError();
+LABEL_15:
+    v8 = 3;
+    goto LABEL_20;
   }
-LABEL_18:
+  v8 = -1;
+LABEL_20:
   if ( phKey )
     CryptDestroyKey(phKey);
   if ( phHash )
@@ -29458,7 +29459,7 @@
   return v8;
 }

Sursa: https://gist.github.com/hmoore-r7/01a2940edba33f19dec3