[Forensics-changes] [yara] 106/368: Fix certificate parsing and improve legibility
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:17 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 2fac34b744813465ed39c19452289401f5430e69
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Sun Nov 1 11:33:55 2015 +0100
Fix certificate parsing and improve legibility
---
libyara/include/yara/pe.h | 2 +-
libyara/modules/pe.c | 16 +++++++---------
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/libyara/include/yara/pe.h b/libyara/include/yara/pe.h
index ca6d587..2316cc4 100644
--- a/libyara/include/yara/pe.h
+++ b/libyara/include/yara/pe.h
@@ -439,7 +439,7 @@ typedef struct _WIN_CERTIFICATE {
DWORD Length;
WORD Revision;
WORD CertificateType;
- BYTE Certificate[1];
+ BYTE Certificate[0];
} WIN_CERTIFICATE, *PWIN_CERTIFICATE;
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index bd9de21..69b6684 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1127,18 +1127,16 @@ void pe_parse_certificates(
// Make sure WIN_CERTIFICATE fits within the directory.
// Make sure the Length specified fits within directory too.
//
- // Subtracting 8 because the docs say that the length is only for the
- // Certificate, but the next paragraph contradicts that. All the binaries
- // I've seen have the Length being the entire structure (Certificate
- // included).
+ // The docs say that the length is only for the Certificate, but the next
+ // paragraph contradicts that. All the binaries I've seen have the Length
+ // being the entire structure (Certificate included).
//
while (struct_fits_in_pe(pe, win_cert, WIN_CERTIFICATE) &&
- fits_in_pe(pe, win_cert->Certificate, win_cert->Length) &&
- win_cert->Length >= 8 &&
- (uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
- (uint8_t*) win_cert->Certificate < eod &&
- (uint8_t*) win_cert->Certificate + win_cert->Length - 8 <= eod)
+ win_cert->Length > sizeof(WIN_CERTIFICATE) &&
+ fits_in_pe(pe, win_cert, win_cert->Length) &&
+ (uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) < eod &&
+ (uint8_t*) win_cert + win_cert->Length <= eod)
{
BIO* cert_bio;
PKCS7* pkcs7;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list