[Forensics-changes] [yara] 264/368: Fix bug that can cause segfaults while scanning corrupted PE files.

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 1497fbdf39f6db3e44344fffd2cb4b3a89c937c0
Author: plusvic <plusvic at gmail.com>
Date:   Tue Apr 26 16:52:56 2016 +0200

    Fix bug that can cause segfaults while scanning corrupted PE files.
    
    See more details at: https://github.com/plusvic/yara/pull/438
---
 libyara/modules/pe.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index f8b6614..722f4f3 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -419,9 +419,11 @@ int64_t pe_rva_to_offset(
         // If FileAlignment is >= 0x200, it is apparently ignored (see
         // Ero Carreras's pefile.py, PE.adjust_FileAlignment).
         int alignment = yr_min(OptionalHeader(pe, FileAlignment), 0x200);
+
         if (alignment)
         {
           int rest = section_offset % alignment;
+
           if (rest)
             section_offset -= rest;
         }
@@ -441,7 +443,9 @@ int64_t pe_rva_to_offset(
 
   if (rva < lowest_section_rva)
   {
-    return rva;
+    section_rva = 0;
+    section_offset = 0;
+    section_raw_size = pe->data_size;
   }
 
   // Many sections, have a raw (on disk) size smaller than their in-memory size.
@@ -449,9 +453,7 @@ int64_t pe_rva_to_offset(
   // associated file offset.
 
   if ((rva - section_rva) >= section_raw_size)
-  {
     return -1;
-  }
 
   result = section_offset + (rva - section_rva);
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git