[Forensics-changes] [yara] 78/407: Fix one-byte overflow.

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:28:12 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit f3722ba5086af5740b6dcfb9531ce910a185207e
Author: Wesley Shields <wxs at atarininja.org>
Date:   Mon Oct 6 21:55:00 2014 -0400

    Fix one-byte overflow.
    
    When making the hexlified hash (imphash and richhash) for comparison make
    sure to allocate enough room for the null byte.
    
    While here, simplify things a bit. No need to use an extra pointer (p) and
    remove comments that don't apply anymore.
---
 libyara/modules/pe.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c45dbde..468f202 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2380,7 +2380,7 @@ define_function(imphash)
   md5_final(&ctx, md_value);
 
   // Convert md_value into it's hexlified form.
-  final_hash = yr_malloc(MD5_BLOCK_SIZE * 2);
+  final_hash = yr_malloc((MD5_BLOCK_SIZE * 2) + 1);
   if (!final_hash)
     return_integer(0);
 
@@ -2397,11 +2397,10 @@ define_function(imphash)
 
 
 /*
- * XXX: Nothing fancy here. Just a sha256 of the clear data.
+ * Nothing fancy here. Just a sha256 of the clear data.
  */
 define_function(richhash)
 {
-  char *p;
   int i;
   SHA256_CTX ctx;
   unsigned char md_value[SHA256_BLOCK_SIZE];
@@ -2410,9 +2409,13 @@ define_function(richhash)
   int result = 0;
   YR_OBJECT* parent = parent();
 
+  // No point in calculating the hash if the input length is wrong.
+  if (strlen(hash) != SHA256_BLOCK_SIZE * 2) {
+    return_integer(0);
+  }
+
   SIZED_STRING *clear_data = get_string(parent, "clear_data");
 
-  // Length should be at least 0x80
   sha256_init(&ctx);
   for (i = 0; i < clear_data->length; i += 4) {
     sha256_update(&ctx, (SHA_BYTE *) ((uint32_t *) (clear_data->c_string + i)), 0x04);
@@ -2420,13 +2423,12 @@ define_function(richhash)
   sha256_final(&ctx, md_value);
 
   // Convert md_value into it's hexlified form.
-  final_hash = yr_malloc(SHA256_BLOCK_SIZE * 2);
+  final_hash = yr_malloc((SHA256_BLOCK_SIZE * 2) + 1);
   if (!final_hash)
     return_integer(0);
 
-  p = final_hash;
   for (i = 0; i < SHA256_BLOCK_SIZE; i++) {
-    snprintf(p + 2 * i, 3, "%02x", md_value[i]);
+    snprintf(final_hash + (2 * i), 3, "%02x", md_value[i]);
   }
 
   if (strncasecmp(hash, final_hash, (SHA256_BLOCK_SIZE * 2)) == 0)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list