From 44fd094544666532a4854c1ac06f4cf240d3226f Mon Sep 17 00:00:00 2001 From: "Victor M. Alvarez" Date: Tue, 10 Sep 2024 09:34:47 +0200 Subject: [PATCH] Fix regression introduced in 6209630 One section entry was being ignored while parsing file b200f89fe313b6311e444e37725cae95127797ddb430e711c788c264acf92eb0 because we were forcing every resource entry to be shorter than the PE itself. Although this sanity check makes sense, with truncated files this can lead to resource entries that are ignored. Here we make the sanity check more permissive, allowing entries that are larger than the PE file, but rejecting entries with ridiculously large sizes. --- libyara/modules/pe/pe.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c index d2f5542618..61b3f5ccd8 100644 --- a/libyara/modules/pe/pe.c +++ b/libyara/modules/pe/pe.c @@ -509,7 +509,11 @@ static int _pe_iterate_resources( if (struct_fits_in_pe(pe, data_entry, IMAGE_RESOURCE_DATA_ENTRY)) { if (yr_le32toh(data_entry->Size) > 0 && - yr_le32toh(data_entry->Size) < pe->data_size) + // We could use the PE's size as an upper bound for the entry size, + // but there are some truncated files where the PE size is lower. + // Use a reasonably large value as the upper bound and avoid some + // completely corrupt entries with random values. + yr_le32toh(data_entry->Size) <= 0x3FFFFFFF) { if (callback( data_entry,