[Forensics-changes] [yara] 17/368: More integrity checks while loading compiled rules

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 15d249b4d58b496e485c4f8da5f1b4de799d6608
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Thu Jul 2 14:00:43 2015 +0200

    More integrity checks while loading compiled rules
---
 libyara/arena.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libyara/arena.c b/libyara/arena.c
index 738ab15..7f70bb4 100644
--- a/libyara/arena.c
+++ b/libyara/arena.c
@@ -176,6 +176,7 @@ int _yr_arena_make_relocatable(
 
   while (offset != -1)
   {
+    assert(page->used >= sizeof(int64_t));
     assert(base_offset + offset <= page->used - sizeof(int64_t));
 
     reloc = (YR_RELOC*) yr_malloc(sizeof(YR_RELOC));
@@ -916,6 +917,9 @@ int yr_arena_load_stream(
     return ERROR_INVALID_FILE;
   }
 
+  if (header.size < 2048)       // compiled rules are always larger than 2KB
+    return ERROR_CORRUPT_FILE;
+
   if (header.version != ARENA_FILE_VERSION)
     return ERROR_UNSUPPORTED_FILE_VERSION;
 
@@ -942,6 +946,12 @@ int yr_arena_load_stream(
 
   while (reloc_offset != -1)
   {
+    if (reloc_offset > header.size - sizeof(uint8_t*))
+    {
+      yr_arena_destroy(new_arena);
+      return ERROR_CORRUPT_FILE;
+    }
+
     yr_arena_make_relocatable(new_arena, page->address, reloc_offset, EOL);
 
     reloc_address = (uint8_t**) (page->address + reloc_offset);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git