[Forensics-changes] [yara] 126/192: Add missing endianness conversions

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:31:55 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.6.0
in repository yara.

commit b6851ea05bfcc7938101aff26f48094cba3e07f5
Author: plusvic <plusvic at gmail.com>
Date:   Thu Mar 16 16:38:16 2017 +0100

    Add missing endianness conversions
---
 libyara/modules/pe.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index b23bd88..73d40dd 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -545,7 +545,7 @@ void pe_parse_version_info(
              yr_le16toh(string->Length) != 0 &&
              string < string_table)
       {
-        if (string->ValueLength > 0)
+        if (yr_le16toh(string->ValueLength) > 0)
         {
           char* string_value = (char*) ADD_OFFSET(string,
               sizeof(VERSION_INFO) + 2 * (strnlen_w(string->Key) + 1));
@@ -562,7 +562,7 @@ void pe_parse_version_info(
           }
         }
 
-        string = ADD_OFFSET(string, string->Length);
+        string = ADD_OFFSET(string, yr_le16toh(string->Length));
       }
     }
   }
@@ -1071,7 +1071,9 @@ void pe_parse_certificates(
   }
 
   // Store the end of directory, making comparisons easier.
-  eod = pe->data + yr_le32toh(directory->VirtualAddress) + directory->Size;
+  eod = pe->data + \
+        yr_le32toh(directory->VirtualAddress) + \
+        yr_le32toh(directory->Size);
 
   win_cert = (PWIN_CERTIFICATE) \
     (pe->data + yr_le32toh(directory->VirtualAddress));
@@ -1257,7 +1259,10 @@ void pe_parse_certificates(
       counter++;
     }
 
-    uintptr_t end = (uintptr_t)((uint8_t *) win_cert) + win_cert->Length;
+    uintptr_t end = \
+        (uintptr_t)((uint8_t *) win_cert) + \
+        yr_le32toh(win_cert->Length);
+
     win_cert = (PWIN_CERTIFICATE)(end + (end % 8));
 
     BIO_free(cert_bio);
@@ -1903,7 +1908,7 @@ static uint64_t rich_internal(
 
   for (i = 0; i < rich_count; i++)
   {
-    DWORD id_version = clear_rich_signature->versions[i].id_version;
+    DWORD id_version = yr_le32toh(clear_rich_signature->versions[i].id_version);
 
     int match_version = (version == RICH_VERSION_VERSION(id_version));
     int match_toolid = (toolid == RICH_VERSION_ID(id_version));

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list