From f1d4c6266c3d44fda5e78a5c151bed5d2878f5cd Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Wed, 11 Feb 2026 19:48:51 +0100
Subject: [PATCH] fix(event): Registry data buffer bound checks

In some occasions, the registry data buffer is provided
without enough length to satisfy the underlying value
type. To prevent panics, when converting the buffer to
an integer data type, incorporate bound checks.
---
 pkg/event/param_windows.go | 35 ++++++++++++++++++++++++++++++++---
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/pkg/event/param_windows.go b/pkg/event/param_windows.go
index 4e2b9b110..3c49167d8 100644
--- a/pkg/event/param_windows.go
+++ b/pkg/event/param_windows.go
@@ -540,11 +540,40 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 			case registry.BINARY:
 				e.AppendParam(params.RegData, params.Binary, b)
 			case registry.DWORD:
-				e.AppendParam(params.RegData, params.Uint32, binary.LittleEndian.Uint32(b))
+				var v uint32
+				switch len(b) {
+				case 4:
+					v = binary.LittleEndian.Uint32(b)
+				case 2:
+					v = uint32(binary.LittleEndian.Uint16(b))
+				case 1:
+					v = uint32(b[0])
+				}
+				e.AppendParam(params.RegData, params.Uint32, v)
 			case registry.DWORD_BIG_ENDIAN:
-				e.AppendParam(params.RegData, params.Uint32, binary.BigEndian.Uint32(b))
+				var v uint32
+				switch len(b) {
+				case 4:
+					v = binary.BigEndian.Uint32(b)
+				case 2:
+					v = uint32(binary.BigEndian.Uint16(b))
+				case 1:
+					v = uint32(b[0])
+				}
+				e.AppendParam(params.RegData, params.Uint32, v)
 			case registry.QWORD:
-				e.AppendParam(params.RegData, params.Uint64, binary.LittleEndian.Uint64(b))
+				var v uint64
+				switch len(b) {
+				case 8:
+					v = binary.LittleEndian.Uint64(b)
+				case 4:
+					v = uint64(binary.LittleEndian.Uint32(b))
+				case 2:
+					v = uint64(binary.LittleEndian.Uint16(b))
+				case 1:
+					v = uint64(b[0])
+				}
+				e.AppendParam(params.RegData, params.Uint64, v)
 			}
 		}
 	case CreateFile: