[Forensics-changes] [yara] 187/407: Improve sanity checks in pe_parse_certificates

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:28:24 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 46fee1aa26bee54ba8fa136e4118e19fc41cad5f
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Mon Nov 3 13:16:03 2014 +0100

    Improve sanity checks in pe_parse_certificates
---
 libyara/modules/pe.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c8b4906..006798d 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -789,6 +789,7 @@ void pe_parse_certificates(
   // directory->VirtualAddress is a file offset. Don't call pe_rva_to_offset().
 
   if (directory->VirtualAddress == 0 ||
+      directory->Size > pe->data_size ||
       directory->VirtualAddress + directory->Size > pe->data_size)
   {
     return;
@@ -812,10 +813,18 @@ void pe_parse_certificates(
   // included).
   //
 
-  while (struct_fits_in_pe(pe, win_cert, WIN_CERTIFICATE) &&
-         (uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
+  while ((uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
          (uint8_t*) win_cert->Certificate + win_cert->Length - 8 <= eod)
   {
+    // Some sanity checks
+
+    if (win_cert->Length == 0 ||
+        (win_cert->CertificateType != WIN_CERT_REVISION_1_0 &&
+         win_cert->CertificateType != WIN_CERT_REVISION_2_0))
+    {
+      break;
+    }
+
     // Don't support legacy revision for now.
     // Make sure type is PKCS#7 too.
 
@@ -906,8 +915,8 @@ void pe_parse_certificates(
       counter++;
     }
 
-    uintptr_t end = (uintptr_t) ((uint8_t *) win_cert) + win_cert->Length;
-    win_cert = (PWIN_CERTIFICATE) (end + (end % 8));
+    uintptr_t end = (uintptr_t)((uint8_t *) win_cert) + win_cert->Length;
+    win_cert = (PWIN_CERTIFICATE)(end + (end % 8));
 
     BIO_free(cert_bio);
     sk_X509_free(certs);
@@ -1370,7 +1379,7 @@ define_function(imports)
     {
       imported_func = imported_dll->functions;
 
-      while (imported_func)
+      while (imported_func != NULL)
       {
         if (strcasecmp(imported_func->name, function_name) == 0)
           return_integer(1);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list