From 6604b167be03e94d0eb4be5756aa66d25ffe0bca Mon Sep 17 00:00:00 2001
From: Vincent Thiberville <vthib@pm.me>
Date: Thu, 25 Apr 2024 01:18:15 +0200
Subject: [PATCH] fix signature and magic strings in dex module

Several bytestring values in the dex module were not set properly,
and were cut short due to the presence of a nul byte.

This happened on:
- all the dex.DEX_FILE_MAGIC_* constants, which were cut short by one
  byte (the last one is the nul byte).
- the magic and signature field in the "header" object of the module.

For all of those, the size is fixed and known, so use the right length
and do not cut it short if a nul byte is present.
---
 libyara/modules/dex/dex.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/libyara/modules/dex/dex.c b/libyara/modules/dex/dex.c
index f850d20a7b..a1efdd0a8a 100644
--- a/libyara/modules/dex/dex.c
+++ b/libyara/modules/dex/dex.c
@@ -492,19 +492,13 @@ dex_header_t* dex_get_header(const uint8_t* data, size_t data_size)
 void dex_parse_header(dex_header_t* dex_header, YR_OBJECT* module_object)
 {
   yr_set_sized_string(
-      (char*) dex_header->magic,
-      strnlen((char*) dex_header->magic, 8 * sizeof(char)),
-      module_object,
-      "header.magic");
+      (char*) dex_header->magic, 8, module_object, "header.magic");
 
   yr_set_integer(
       yr_le32toh(dex_header->checksum), module_object, "header.checksum");
 
   yr_set_sized_string(
-      (char*) dex_header->signature,
-      strnlen((char*) dex_header->signature, 20 * sizeof(char)),
-      module_object,
-      "header.signature");
+      (char*) dex_header->signature, 20, module_object, "header.signature");
 
   yr_set_integer(
       yr_le32toh(dex_header->file_size), module_object, "header.file_size");
@@ -1461,11 +1455,16 @@ int module_load(
 
   dex_header_t* dex_header;
 
-  yr_set_string(DEX_FILE_MAGIC_035, module_object, "DEX_FILE_MAGIC_035");
-  yr_set_string(DEX_FILE_MAGIC_036, module_object, "DEX_FILE_MAGIC_036");
-  yr_set_string(DEX_FILE_MAGIC_037, module_object, "DEX_FILE_MAGIC_037");
-  yr_set_string(DEX_FILE_MAGIC_038, module_object, "DEX_FILE_MAGIC_038");
-  yr_set_string(DEX_FILE_MAGIC_039, module_object, "DEX_FILE_MAGIC_039");
+  yr_set_sized_string(
+      DEX_FILE_MAGIC_035, 8, module_object, "DEX_FILE_MAGIC_035");
+  yr_set_sized_string(
+      DEX_FILE_MAGIC_036, 8, module_object, "DEX_FILE_MAGIC_036");
+  yr_set_sized_string(
+      DEX_FILE_MAGIC_037, 8, module_object, "DEX_FILE_MAGIC_037");
+  yr_set_sized_string(
+      DEX_FILE_MAGIC_038, 8, module_object, "DEX_FILE_MAGIC_038");
+  yr_set_sized_string(
+      DEX_FILE_MAGIC_039, 8, module_object, "DEX_FILE_MAGIC_039");
 
   yr_set_integer(0x12345678, module_object, "ENDIAN_CONSTANT");
   yr_set_integer(0x78563412, module_object, "REVERSE_ENDIAN_CONSTANT");