Fix issue #1708 (#1710)

* Fix issue #1708 * Add test case for #1708 Build a dotnet pe that triggers this issue: https://github.com/dangodangodango/BadDotnetPe
VirusTotal · May 28, 2022 · 94a5de1 · 94a5de1
1 parent a60f47c
commit 94a5de1
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/libyara/modules/dotnet/dotnet.c b/libyara/modules/dotnet/dotnet.c
@@ -1637,6 +1637,7 @@ static bool dotnet_is_dotnet(PE* pe)
 
   int64_t metadata_root = pe_rva_to_offset(
       pe, yr_le32toh(cli_header->MetaData.VirtualAddress));
+  offset = metadata_root;
 
   if (!struct_fits_in_pe(pe, pe->data + metadata_root, NET_METADATA))
     return false;
@@ -1650,7 +1651,7 @@ static bool dotnet_is_dotnet(PE* pe)
   // Also make sure it fits in pe.
   uint32_t md_len = yr_le32toh(metadata->Length);
   if (md_len == 0 || md_len > 255 || md_len % 4 != 0 ||
-      !fits_in_pe(pe, pe->data + offset, md_len))
+      !fits_in_pe(pe, pe->data + offset + sizeof(NET_METADATA), md_len))
   {
     return false;
   }
@@ -1667,7 +1668,7 @@ static bool dotnet_is_dotnet(PE* pe)
     int64_t entry_offset = pe_rva_to_offset(
         pe, yr_le32toh(pe->header->OptionalHeader.AddressOfEntryPoint));
 
-    if (offset < 0 || !fits_in_pe(pe, pe->data + entry_offset, 2))
+    if (entry_offset < 0 || !fits_in_pe(pe, pe->data + entry_offset, 2))
       return false;
 
     const uint8_t* entry_data = pe->data + entry_offset;
@@ -1721,7 +1722,7 @@ void dotnet_parse_com(PE* pe)
   md_len = yr_le32toh(metadata->Length);
 
   if (md_len == 0 || md_len > 255 || md_len % 4 != 0 ||
-      !fits_in_pe(pe, pe->data + offset, md_len))
+      !fits_in_pe(pe, pe->data + offset + sizeof(NET_METADATA), md_len))
   {
     return;
   }

diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel
@@ -241,6 +241,7 @@ cc_test(
     data = [
         "data/tiny",
         "data/0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171",
+        "data/bad_dotnet_pe",
     ],
     linkstatic = True,
     deps = [

diff --git a/tests/data/bad_dotnet_pe b/tests/data/bad_dotnet_pe
diff --git a/tests/test-dotnet.c b/tests/test-dotnet.c
@@ -84,6 +84,15 @@ int main(int argc, char** argv)
       "tests/data/"
       "0ca09bde7602769120fadc4f7a4147347a7a97271370583586c9e587fd396171");
 
+  assert_false_rule(
+      "import \"dotnet\" \
+      rule test { \
+        condition: \
+          dotnet.version == \"v4.0.30319\" \
+      }",
+      "tests/data/"
+      "bad_dotnet_pe");
+
   yr_finalize();
 
   YR_DEBUG_FPRINTF(