[Forensics-changes] [yara] 102/135: Fix buffer overrun in PE module

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.1.0
in repository yara.

commit 2eaafa8fed2c8d1e808e9116c403240d3dbf2a31
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Mon Aug 18 10:38:48 2014 +0200

    Fix buffer overrun in PE module
---
 libyara/modules/pe.c | 39 +++++++++++++++++++++++++++++++--------
 1 file changed, 31 insertions(+), 8 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index e5e70cb..84a87f0 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -357,6 +357,7 @@ define_function(imports)
 {
   char* dll_name = string_argument(1);
   char* function_name = string_argument(2);
+  int function_name_len = strlen(function_name);
 
   YR_OBJECT* module = module();
   DATA* data = (DATA*) module->data;
@@ -428,10 +429,21 @@ define_function(imports)
                 data->pe_size,
                 thunks64->u1.Function);
 
-            import = (PIMAGE_IMPORT_BY_NAME)(data->data + offset);
-
-            if (strcmp((char*) import->Name, function_name) == 0)
-              return_integer(1);
+            if (offset != 0 &&
+                offset <= data->size - sizeof(IMAGE_IMPORT_BY_NAME))
+            {
+              import = (PIMAGE_IMPORT_BY_NAME)(data->data + offset);
+
+              if (data_end - import->Name >= function_name_len)
+              {
+                if (strncmp((char*) import->Name,
+                            function_name,
+                            function_name_len) == 0)
+                {
+                  return_integer(1);
+                }
+              }
+            }
           }
 
           thunks64++;
@@ -451,10 +463,21 @@ define_function(imports)
                 data->pe_size,
                 thunks32->u1.Function);
 
-            import = (PIMAGE_IMPORT_BY_NAME)(data->data + offset);
-
-            if (strcmp((char*) import->Name, function_name) == 0)
-              return_integer(1);
+            if (offset != 0 &&
+                offset <= data->size - sizeof(IMAGE_IMPORT_BY_NAME))
+            {
+              import = (PIMAGE_IMPORT_BY_NAME)(data->data + offset);
+
+              if (data_end - import->Name >= function_name_len)
+              {
+                if (strncmp((char*) import->Name,
+                            function_name,
+                            function_name_len) == 0)
+                {
+                  return_integer(1);
+                }
+              }
+            }
           }
 
           thunks32++;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git