[Forensics-changes] [yara] 133/407: Fix length check. The docs are confusing.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:18 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit b2e9cd0bdfd9bc837bb1f73c8232df166b57ac0c
Author: Wesley Shields <wxs at atarininja.org>
Date: Sat Oct 18 23:00:29 2014 -0400
Fix length check. The docs are confusing.
Also, set cert_bio to NULL after free.
---
libyara/modules/pe.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c6c28b3..a9cd3c7 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2384,8 +2384,13 @@ void pe_parse_certificates(
while (struct_fits_in_pe(pe, sec_desc, IMAGE_SECURITY_DESCRIPTOR) &&
(uint8_t *) sec_desc < (uint8_t *) (pe->data + directory->VirtualAddress + directory->Size))
{
- // Make sure the certificate length fits.
- if (sec_desc->Certificate + sec_desc->Length > pe->data + pe->data_size)
+ //
+ // Make sure the certificate length fits. Subtract 8 because the docs say
+ // that the length is only for the Certificate, but the next paragraph
+ // contradicts that. Also, all the binaries I've seen the length is
+ // of the entire structure.
+ //
+ if ((sec_desc->Certificate + sec_desc->Length) - 8 > pe->data + pe->data_size)
break;
// Don't support legacy revision for now.
@@ -2490,6 +2495,7 @@ void pe_parse_certificates(
BIO_set_close(cert_bio, BIO_CLOSE);
BIO_free(cert_bio);
+ cert_bio = NULL;
}
if (cert_bio) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list