From 19c3fb54b226426b5c41219e92d6e570fc0b57b0 Mon Sep 17 00:00:00 2001 From: Wesley Shields Date: Tue, 26 Nov 2024 09:54:21 -0500 Subject: [PATCH] Fix bug when parsing imports from 32bit PE. There is a bug when parsing [1] which turns out to be incorrectly checking the number of successfully parsed imported functions and not the number of parsed attempts. This particular sample is badly malformed and is causing excessive loops in the parser while attempting to parse invalid data. With this fix it will finish in a few seconds on my laptop. [1]: 9c8e4dfa84b1ce7e919964978d33eada266d58b2aacdbef44b0618cc178ea421 --- libyara/modules/pe/pe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c index 61b3f5ccd8..d10b311aad 100644 --- a/libyara/modules/pe/pe.c +++ b/libyara/modules/pe/pe.c @@ -939,7 +939,7 @@ static IMPORT_FUNCTION* pe_parse_import_descriptor( while (struct_fits_in_pe(pe, thunks32, IMAGE_THUNK_DATA32) && yr_le32toh(thunks32->u1.Ordinal) != 0 && - *num_function_imports < MAX_PE_IMPORTS) + parsed_imports < MAX_PE_IMPORTS) { char* name = NULL; uint16_t ordinal = 0;