[Forensics-changes] [yara] 78/407: Fix one-byte overflow.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:12 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit f3722ba5086af5740b6dcfb9531ce910a185207e
Author: Wesley Shields <wxs at atarininja.org>
Date: Mon Oct 6 21:55:00 2014 -0400
Fix one-byte overflow.
When making the hexlified hash (imphash and richhash) for comparison make
sure to allocate enough room for the null byte.
While here, simplify things a bit. No need to use an extra pointer (p) and
remove comments that don't apply anymore.
---
libyara/modules/pe.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c45dbde..468f202 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2380,7 +2380,7 @@ define_function(imphash)
md5_final(&ctx, md_value);
// Convert md_value into it's hexlified form.
- final_hash = yr_malloc(MD5_BLOCK_SIZE * 2);
+ final_hash = yr_malloc((MD5_BLOCK_SIZE * 2) + 1);
if (!final_hash)
return_integer(0);
@@ -2397,11 +2397,10 @@ define_function(imphash)
/*
- * XXX: Nothing fancy here. Just a sha256 of the clear data.
+ * Nothing fancy here. Just a sha256 of the clear data.
*/
define_function(richhash)
{
- char *p;
int i;
SHA256_CTX ctx;
unsigned char md_value[SHA256_BLOCK_SIZE];
@@ -2410,9 +2409,13 @@ define_function(richhash)
int result = 0;
YR_OBJECT* parent = parent();
+ // No point in calculating the hash if the input length is wrong.
+ if (strlen(hash) != SHA256_BLOCK_SIZE * 2) {
+ return_integer(0);
+ }
+
SIZED_STRING *clear_data = get_string(parent, "clear_data");
- // Length should be at least 0x80
sha256_init(&ctx);
for (i = 0; i < clear_data->length; i += 4) {
sha256_update(&ctx, (SHA_BYTE *) ((uint32_t *) (clear_data->c_string + i)), 0x04);
@@ -2420,13 +2423,12 @@ define_function(richhash)
sha256_final(&ctx, md_value);
// Convert md_value into it's hexlified form.
- final_hash = yr_malloc(SHA256_BLOCK_SIZE * 2);
+ final_hash = yr_malloc((SHA256_BLOCK_SIZE * 2) + 1);
if (!final_hash)
return_integer(0);
- p = final_hash;
for (i = 0; i < SHA256_BLOCK_SIZE; i++) {
- snprintf(p + 2 * i, 3, "%02x", md_value[i]);
+ snprintf(final_hash + (2 * i), 3, "%02x", md_value[i]);
}
if (strncasecmp(hash, final_hash, (SHA256_BLOCK_SIZE * 2)) == 0)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list