[Forensics-changes] [yara] 152/368: Fix match issue.
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:22 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 5b5a0795db2238be4ed079d9583c2fb0b79866cf
Author: Wesley Shields <wxs at atarininja.org>
Date: Thu Jan 21 16:23:54 2016 -0800
Fix match issue.
When the length of remaining bytes is less than the length of the string we are
searching for, don't do the search as it can't possibly match. This was causing
false positives when using a rule that looks like this:
pe.exports("Driver")
Anything that starts with "D" will be incorrectly matched when run against
b71c531d50d2b634e6000fcdabc9bbb4, because the file is truncated in the export
table and the entry happens to start with D.
---
libyara/modules/pe.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index 6584b2c..fce9f4e 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -1529,6 +1529,8 @@ define_function(exports)
int64_t offset;
uint32_t i;
+ size_t remaining;
+ size_t searchlen;
// If not a PE file, return UNDEFINED
@@ -1563,6 +1565,7 @@ define_function(exports)
exports->NumberOfNames * sizeof(DWORD) > pe->data_size - offset)
return_integer(0);
+ searchlen = strlen(function_name);
names = (DWORD*)(pe->data + offset);
for (i = 0; i < exports->NumberOfNames; i++)
@@ -1573,6 +1576,10 @@ define_function(exports)
if (offset < 0)
return_integer(0);
+ remaining = pe->data_size - (size_t) offset;
+ if (remaining < searchlen)
+ continue;
+
name = (char*)(pe->data + offset);
if (strncmp(name, function_name, pe->data_size - (size_t) offset) == 0)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list