[Forensics-changes] [yara] 129/407: Properly calculate the next certificate entry.

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit a2eef6354bc4bbbb02e69476a0637ffc5c652dd2
Author: Wesley Shields <wxs at atarininja.org>
Date:   Fri Oct 17 16:08:59 2014 -0400

    Properly calculate the next certificate entry.
    
    There is a lot of confusion around this. The specification says it must be
    aligned to an 8 byte boundary and the length field does not include the
    structure itself. Most binaries adhere to this but I've seen some for which
    the length includes the structure and the padding.
    
    There needs to be more investigation on the proper way to handle the (rare)
    case of a file with multiple signatures.
---
 libyara/modules/pe.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c6007bb..443ea95 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2356,6 +2356,7 @@ void pe_parse_certificates(
   PKCS7 *p7;
   X509 *cert;
   int i, j;
+  size_t end;
   char *p;
   const char *sig_alg;
   unsigned long date_length;
@@ -2467,7 +2468,8 @@ void pe_parse_certificates(
       BIO_set_close(date_bio, BIO_CLOSE);
       BIO_free(date_bio);
     }
-    sec_desc += sec_desc ->Length + 8 - (((unsigned int) sec_desc + sec_desc->Length) % 8);
+    end = ((size_t) sec_desc) + sec_desc->Length;
+    sec_desc = (PIMAGE_SECURITY_DESCRIPTOR) (end + (end % 8));
   }
 
   if (cert_bio) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git