From cbc982d754e1721233d647a2f449723b536f85b4 Mon Sep 17 00:00:00 2001 From: "Victor M. Alvarez" Date: Wed, 24 Jul 2024 14:31:30 +0200 Subject: [PATCH] Fix crash while parsing PE Rich header File e77b007c9a964411c5e33afeec18be32c86963b78f3c3e906b28fcf1382f46c3 has a Rich header of only 8 bytes, which is smaller than the RICH_SIGNATURE structure. This was causing a crash when some of the `rich_xxx` functions were used with this file. --- libyara/modules/pe/pe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c index 3540a92f4e..cfab3844f7 100644 --- a/libyara/modules/pe/pe.c +++ b/libyara/modules/pe/pe.c @@ -3391,17 +3391,22 @@ static uint64_t _rich_version( rich_length = yr_get_integer(module, "rich_signature.length"); rich_string = yr_get_string(module, "rich_signature.clear_data"); - // If the clear_data was not set, return YR_UNDEFINED + // If clear_data was not set, return YR_UNDEFINED if (rich_string == NULL) return YR_UNDEFINED; + // File e77b007c9a964411c5e33afeec18be32c86963b78f3c3e906b28fcf1382f46c3 + // has a Rich header of length 8, which is smaller than RICH_SIGNATURE and + // causes a crash. + if (rich_length < sizeof(RICH_SIGNATURE)) + return YR_UNDEFINED; + if (version == YR_UNDEFINED && toolid == YR_UNDEFINED) - return false; + return 0; clear_rich_signature = (PRICH_SIGNATURE) rich_string->c_string; // Loop over the versions in the rich signature - rich_count = (rich_length - sizeof(RICH_SIGNATURE)) / sizeof(RICH_VERSION_INFO);