From 8af832b48245964d4fee6ef375299c0269f15f64 Mon Sep 17 00:00:00 2001 From: dangodangodango <39194518+dangodangodango@users.noreply.github.com> Date: Sun, 29 May 2022 04:02:21 +0800 Subject: [PATCH] Fix issue #1708 (#1710) * Fix issue #1708 * Add test case for #1708 Build a dotnet pe that triggers this issue: https://github.com/dangodangodango/BadDotnetPe --- libyara/modules/dotnet/dotnet.c | 7 ++++--- tests/BUILD.bazel | 1 + tests/data/bad_dotnet_pe | Bin 0 -> 4096 bytes tests/test-dotnet.c | 9 +++++++++ 4 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 tests/data/bad_dotnet_pe diff --git a/libyara/modules/dotnet/dotnet.c b/libyara/modules/dotnet/dotnet.c index 112e6fb092..8e1b7a2f56 100644 --- a/libyara/modules/dotnet/dotnet.c +++ b/libyara/modules/dotnet/dotnet.c @@ -1637,6 +1637,7 @@ static bool dotnet_is_dotnet(PE* pe) int64_t metadata_root = pe_rva_to_offset( pe, yr_le32toh(cli_header->MetaData.VirtualAddress)); + offset = metadata_root; if (!struct_fits_in_pe(pe, pe->data + metadata_root, NET_METADATA)) return false; @@ -1650,7 +1651,7 @@ static bool dotnet_is_dotnet(PE* pe) // Also make sure it fits in pe. uint32_t md_len = yr_le32toh(metadata->Length); if (md_len == 0 || md_len > 255 || md_len % 4 != 0 || - !fits_in_pe(pe, pe->data + offset, md_len)) + !fits_in_pe(pe, pe->data + offset + sizeof(NET_METADATA), md_len)) { return false; } @@ -1667,7 +1668,7 @@ static bool dotnet_is_dotnet(PE* pe) int64_t entry_offset = pe_rva_to_offset( pe, yr_le32toh(pe->header->OptionalHeader.AddressOfEntryPoint)); - if (offset < 0 || !fits_in_pe(pe, pe->data + entry_offset, 2)) + if (entry_offset < 0 || !fits_in_pe(pe, pe->data + entry_offset, 2)) return false; const uint8_t* entry_data = pe->data + entry_offset; @@ -1721,7 +1722,7 @@ void dotnet_parse_com(PE* pe) md_len = yr_le32toh(metadata->Length); if (md_len == 0 || md_len > 255 || md_len % 4 != 0 || - !fits_in_pe(pe, pe->data + offset, md_len)) + !fits_in_pe(pe, pe->data + offset + sizeof(NET_METADATA), md_len)) { return; } diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel index ee573fbba6..86b688dae4 100644 --- a/tests/BUILD.bazel +++ b/tests/BUILD.bazel @@ -241,6 +241,7 @@ cc_test( data = [ "data/tiny", "data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171", + "data/bad_dotnet_pe", ], linkstatic = True, deps = [ diff --git a/tests/data/bad_dotnet_pe b/tests/data/bad_dotnet_pe new file mode 100644 index 0000000000000000000000000000000000000000..b4e07c1c6b5a0006684da164debb334440d7768f GIT binary patch literal 4096 zcmeHKU2GIp6h60qlm+?|u&HQppdbaC$<~%CsAad^mR9;_cWF^e+S%>xGB`W4nVE&w z2ke6y9#s0|qX~&of+mt^A|cTSW1=r4K4@Z85+5Z#KunCpsQ8^bv)yeg7+-uKob5e- z_uO;OIdkXS>F{$)R7pft7`JW_T>@o@DST(Ni0QhAF4xgV>#uCTB!;eRPaQWsE$=#6 z*T`uZ!?qn?OH0iy*qUi;iP5B%b7rN!X;Wlp=z6S=Xh>Aj56QQ07I*uRc4!+!l&BV( znm~K{VNeYthC$Sz_=+HIR&e|Z7J;E>sHB-!*p&ZDG!$6{XoKHTW@1E9F2rh>A=(IC zY8S@pxjV^P5Ps357V#npMHe??&A*}-~gBVdynW)$qt}B3JtDtJSVG!NG9ztpVJJMaO%(repkbAdPw4!v8 zy*y(Rvns7ai0T9VMyxL`a;?}~c*4pTMc(=;@#;wJ1Q&FA1(Aog>JrxCb@?gx(09^eM7WV~PDxWa=9Kcn!o3Y&D0 z?jr+y4e7Ljb^~vwDDVR~>pFHj3j7GY0o*}v0Y5?S0r%qV*Xgj*CxNRLgZj`ippeBE zQt7tBD+3?mB5bAYMYh*6Jg=Re9Cl_4mh7gvf}NoOX<5#s<65(nT=0CE(|aA;b1YdD z#|yS^<|IwJrZ0y~TT()%3)!rZwq)GLu}BwuNpa7UxwN&AGW~LO%5byN???ZUryTc% zwf6m{B`2ionU1}7a?qZ0+??TK(y(r8g?Q)8Y{6A_B`3X3E^k^&IW8?@UU6P&z8LYC zi*jWAwG-^Xuop@bVI`E_H`AtN`en0W^+F>(3>Pm=S&8*o%L?ndTwXb6$qc7Rdd7F$ zqCR07S=;e^GvgIiMb|-Q(oIVDq?wUk_&~4~o-D-C^a*$*YBwo|6J(Kzcg4gBv}qpH z0nJhj!@#_Wd7U!Q=5S8VF8zGr%Wtm@FFy9i`@gRL(5EU*h}uexL^YVkMi%R;2&ner z!ReP8zlj_`HxRW#HB6#y{8FVVnkHQ%KjPSZ^BI}v+)~F~=ak2G=mvm&f|~V_zErQ{ z%6LBC7FO%2lU;fg4(hfnADM*dW9-JLMh~tIngpZ()Rk2fK*y7bWb-@G z_{PsZ=>NFs$n~px)^)Rw-UCyoys25ox1~Q-3bmYd(kG_Epr>Gkgv)02{A`+%1Mx@q zby4Vl;MAS^QxN^hb_Qo+^qh~w*b~qX%`Z{>kSOuPM>{}sFqe3}^odN2^w=T4bhrA;WS33L+|ez>1V__S#b zJ%wSXT9v{qcOVb*hU!P$hXS}*)d{BpG5N4ERexIRsX^I9amNL}PD-o$t_ydnz-`GL zEU)%hKt|l#&=mj!pcZ}(O=7s~qobd$KyYLY7 zSKgoT2K*Z={UTS zY61OfpV3gy)nw~po-75G`M3Rox{kq*gD489jb9e+?duxF_lKaB>sD8%R2!nlRUPA~ rorm0Vc&Zk%(r`{!R