[Forensics-changes] [yara] 134/407: Add extra comment explaining why this check most likely fails.

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 5c3260729a0b3742d5a1e16c7f70c4cfdd7ef79e
Author: Wesley Shields <wxs at atarininja.org>
Date:   Sat Oct 18 23:12:01 2014 -0400

    Add extra comment explaining why this check most likely fails.
---
 libyara/modules/pe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index a9cd3c7..07f76fe 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -2390,8 +2390,11 @@ void pe_parse_certificates(
     // contradicts that. Also, all the binaries I've seen the length is
     // of the entire structure.
     //
-    if ((sec_desc->Certificate + sec_desc->Length) - 8 > pe->data + pe->data_size)
+    // Some malware will stuff config blocks onto the end of the file. This
+    // is most often the cause of this check failing.
+    if ((sec_desc->Certificate + sec_desc->Length) - 8 > pe->data + pe->data_size) {
       break;
+    }
 
     // Don't support legacy revision for now.
     // Make sure type is PKCS#7 too.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git