[Forensics-changes] [yara] 106/368: Fix certificate parsing and improve legibility

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:17 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 2fac34b744813465ed39c19452289401f5430e69
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Sun Nov 1 11:33:55 2015 +0100

    Fix certificate parsing and improve legibility
---
 libyara/include/yara/pe.h |  2 +-
 libyara/modules/pe.c      | 16 +++++++---------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/libyara/include/yara/pe.h b/libyara/include/yara/pe.h
index ca6d587..2316cc4 100644
--- a/libyara/include/yara/pe.h
+++ b/libyara/include/yara/pe.h
@@ -439,7 +439,7 @@ typedef struct _WIN_CERTIFICATE {
     DWORD Length;
     WORD  Revision;
     WORD  CertificateType;
-    BYTE  Certificate[1];
+    BYTE  Certificate[0];
 } WIN_CERTIFICATE, *PWIN_CERTIFICATE;
 
 
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index bd9de21..69b6684 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1127,18 +1127,16 @@ void pe_parse_certificates(
   // Make sure WIN_CERTIFICATE fits within the directory.
   // Make sure the Length specified fits within directory too.
   //
-  // Subtracting 8 because the docs say that the length is only for the
-  // Certificate, but the next paragraph contradicts that. All the binaries
-  // I've seen have the Length being the entire structure (Certificate
-  // included).
+  // The docs say that the length is only for the Certificate, but the next 
+  // paragraph contradicts that. All the binaries I've seen have the Length
+  // being the entire structure (Certificate included).
   //
 
   while (struct_fits_in_pe(pe, win_cert, WIN_CERTIFICATE) &&
-         fits_in_pe(pe, win_cert->Certificate, win_cert->Length) &&
-         win_cert->Length >= 8 &&
-         (uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
-         (uint8_t*) win_cert->Certificate < eod &&
-         (uint8_t*) win_cert->Certificate + win_cert->Length - 8 <= eod)
+         win_cert->Length > sizeof(WIN_CERTIFICATE) &&
+         fits_in_pe(pe, win_cert, win_cert->Length) &&
+         (uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) < eod &&
+         (uint8_t*) win_cert + win_cert->Length <= eod)
   {
     BIO* cert_bio;
     PKCS7* pkcs7;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list