[Forensics-changes] [yara] 362/415: Recognise x64 PE files and add some sanity checks

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to branch debian
in repository yara.

commit f435aae0b14fdc2f805fa086651619900e9e6e1e
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Wed Jan 15 20:37:53 2014 +0100

    Recognise x64 PE files and add some sanity checks
---
 libyara/exefiles.c | 22 +++++++++++++++++++---
 libyara/pe.h       |  1 +
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/libyara/exefiles.c b/libyara/exefiles.c
index 9a2c322..6864162 100644
--- a/libyara/exefiles.c
+++ b/libyara/exefiles.c
@@ -67,7 +67,8 @@ PIMAGE_NT_HEADERS yr_get_pe_header(
   headers_size += pe_header->FileHeader.SizeOfOptionalHeader;
 
   if (pe_header->Signature == IMAGE_NT_SIGNATURE &&
-      pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 &&
+      (pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ||
+       pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_X64) &&
       buffer_length > headers_size)
   {
     return pe_header;
@@ -147,8 +148,16 @@ uint64_t yr_elf_rva_to_offset_32(
     return 0;
 
   // check to prevent integer wraps
-  if(ULONG_MAX - elf_header->sh_entry_count <
-     sizeof(elf32_section_header_t) * elf_header->sh_entry_count)
+
+  if (ULONG_MAX - elf_header->sh_entry_count <
+      sizeof(elf32_section_header_t) * elf_header->sh_entry_count)
+    return 0;
+
+  // check that 'sh_offset' doesn't wrap when added to the
+  // size of entries.
+
+  if (ULONG_MAX - elf_header->sh_offset <
+      sizeof(elf32_section_header_t) * elf_header->sh_entry_count)
     return 0;
 
   if (elf_header->sh_offset + \
@@ -167,6 +176,7 @@ uint64_t yr_elf_rva_to_offset_32(
         rva <  section->addr + section->size)
     {
       // prevent integer wrapping with the return value
+
       if (ULONG_MAX - section->offset < (rva - section->addr))
         return 0;
       else
@@ -192,6 +202,12 @@ uint64_t yr_elf_rva_to_offset_64(
   if (elf_header->sh_offset == 0 || elf_header->sh_entry_count == 0)
     return 0;
 
+  // check that 'sh_offset' doesn't wrap when added to the
+  // size of entries.
+  if(ULONG_MAX - elf_header->sh_offset <
+     sizeof(elf64_section_header_t) * elf_header->sh_entry_count)
+    return 0;
+
   if (elf_header->sh_offset + \
       sizeof(elf64_section_header_t) * \
       elf_header->sh_entry_count > buffer_length)
diff --git a/libyara/pe.h b/libyara/pe.h
index 08c6c04..5ae1996 100644
--- a/libyara/pe.h
+++ b/libyara/pe.h
@@ -114,6 +114,7 @@ typedef struct _IMAGE_FILE_HEADER {
 
 
 #define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
+#define IMAGE_FILE_MACHINE_X64               0x8664  // Intel x64.
 
 //
 // Directory format.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git