[Forensics-changes] [yara] 187/407: Improve sanity checks in pe_parse_certificates
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:24 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit 46fee1aa26bee54ba8fa136e4118e19fc41cad5f
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Mon Nov 3 13:16:03 2014 +0100
Improve sanity checks in pe_parse_certificates
---
libyara/modules/pe.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index c8b4906..006798d 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -789,6 +789,7 @@ void pe_parse_certificates(
// directory->VirtualAddress is a file offset. Don't call pe_rva_to_offset().
if (directory->VirtualAddress == 0 ||
+ directory->Size > pe->data_size ||
directory->VirtualAddress + directory->Size > pe->data_size)
{
return;
@@ -812,10 +813,18 @@ void pe_parse_certificates(
// included).
//
- while (struct_fits_in_pe(pe, win_cert, WIN_CERTIFICATE) &&
- (uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
+ while ((uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
(uint8_t*) win_cert->Certificate + win_cert->Length - 8 <= eod)
{
+ // Some sanity checks
+
+ if (win_cert->Length == 0 ||
+ (win_cert->CertificateType != WIN_CERT_REVISION_1_0 &&
+ win_cert->CertificateType != WIN_CERT_REVISION_2_0))
+ {
+ break;
+ }
+
// Don't support legacy revision for now.
// Make sure type is PKCS#7 too.
@@ -906,8 +915,8 @@ void pe_parse_certificates(
counter++;
}
- uintptr_t end = (uintptr_t) ((uint8_t *) win_cert) + win_cert->Length;
- win_cert = (PWIN_CERTIFICATE) (end + (end % 8));
+ uintptr_t end = (uintptr_t)((uint8_t *) win_cert) + win_cert->Length;
+ win_cert = (PWIN_CERTIFICATE)(end + (end % 8));
BIO_free(cert_bio);
sk_X509_free(certs);
@@ -1370,7 +1379,7 @@ define_function(imports)
{
imported_func = imported_dll->functions;
- while (imported_func)
+ while (imported_func != NULL)
{
if (strcasecmp(imported_func->name, function_name) == 0)
return_integer(1);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list