[Forensics-changes] [yara] 362/415: Recognise x64 PE files and add some sanity checks
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:24 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit f435aae0b14fdc2f805fa086651619900e9e6e1e
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Wed Jan 15 20:37:53 2014 +0100
Recognise x64 PE files and add some sanity checks
---
libyara/exefiles.c | 22 +++++++++++++++++++---
libyara/pe.h | 1 +
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/libyara/exefiles.c b/libyara/exefiles.c
index 9a2c322..6864162 100644
--- a/libyara/exefiles.c
+++ b/libyara/exefiles.c
@@ -67,7 +67,8 @@ PIMAGE_NT_HEADERS yr_get_pe_header(
headers_size += pe_header->FileHeader.SizeOfOptionalHeader;
if (pe_header->Signature == IMAGE_NT_SIGNATURE &&
- pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 &&
+ (pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 ||
+ pe_header->FileHeader.Machine == IMAGE_FILE_MACHINE_X64) &&
buffer_length > headers_size)
{
return pe_header;
@@ -147,8 +148,16 @@ uint64_t yr_elf_rva_to_offset_32(
return 0;
// check to prevent integer wraps
- if(ULONG_MAX - elf_header->sh_entry_count <
- sizeof(elf32_section_header_t) * elf_header->sh_entry_count)
+
+ if (ULONG_MAX - elf_header->sh_entry_count <
+ sizeof(elf32_section_header_t) * elf_header->sh_entry_count)
+ return 0;
+
+ // check that 'sh_offset' doesn't wrap when added to the
+ // size of entries.
+
+ if (ULONG_MAX - elf_header->sh_offset <
+ sizeof(elf32_section_header_t) * elf_header->sh_entry_count)
return 0;
if (elf_header->sh_offset + \
@@ -167,6 +176,7 @@ uint64_t yr_elf_rva_to_offset_32(
rva < section->addr + section->size)
{
// prevent integer wrapping with the return value
+
if (ULONG_MAX - section->offset < (rva - section->addr))
return 0;
else
@@ -192,6 +202,12 @@ uint64_t yr_elf_rva_to_offset_64(
if (elf_header->sh_offset == 0 || elf_header->sh_entry_count == 0)
return 0;
+ // check that 'sh_offset' doesn't wrap when added to the
+ // size of entries.
+ if(ULONG_MAX - elf_header->sh_offset <
+ sizeof(elf64_section_header_t) * elf_header->sh_entry_count)
+ return 0;
+
if (elf_header->sh_offset + \
sizeof(elf64_section_header_t) * \
elf_header->sh_entry_count > buffer_length)
diff --git a/libyara/pe.h b/libyara/pe.h
index 08c6c04..5ae1996 100644
--- a/libyara/pe.h
+++ b/libyara/pe.h
@@ -114,6 +114,7 @@ typedef struct _IMAGE_FILE_HEADER {
#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
+#define IMAGE_FILE_MACHINE_X64 0x8664 // Intel x64.
//
// Directory format.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list