[Forensics-changes] [yara] 199/407: Sanitise DLL names in import table and fix memory leak
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:28:25 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.3.0
in repository yara.
commit dd2afc6123d27d7b1ae1e93b524a8b5bfe5aa57c
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Thu Nov 6 18:43:18 2014 +0100
Sanitise DLL names in import table and fix memory leak
---
libyara/modules/pe.c | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 751d612..32a8e16 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -714,6 +714,32 @@ IMPORTED_FUNCTION* pe_parse_import_descriptor(
return head;
}
+
+int pe_valid_dll_name(
+ const char* dll_name, size_t n)
+{
+ const char* c = dll_name;
+ size_t l = 0;
+
+ while (*c != '\0' && l < n)
+ {
+ if ((*c >= 'a' && *c <= 'z') ||
+ (*c >= 'A' && *c <= 'Z') ||
+ (*c >= '0' && *c <= '9') ||
+ (*c == '_' || *c == '.'))
+ {
+ c++;
+ l++;
+ }
+ else
+ {
+ return FALSE;
+ }
+ }
+
+ return l < n;
+}
+
//
// Walk the imports and collect relevant information. It is used in the
// "imports" function for comparison and in the "imphash" function for
@@ -747,8 +773,10 @@ IMPORTED_DLL* pe_parse_imports(
if (offset != 0 && offset < pe->data_size)
{
- char* dll_name = yr_strndup(
- (char *) (pe->data + offset), pe->data_size - offset);
+ char* dll_name = (char *) (pe->data + offset);
+
+ if (!pe_valid_dll_name(dll_name, pe->data_size - offset))
+ break;
IMPORTED_FUNCTION* functions = pe_parse_import_descriptor(
pe, imports, dll_name);
@@ -760,7 +788,7 @@ IMPORTED_DLL* pe_parse_imports(
if (imported_dll != NULL)
{
- imported_dll->name = dll_name;
+ imported_dll->name = yr_strdup(dll_name);;
imported_dll->functions = functions;
imported_dll->next = NULL;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list