Fix crash while parsing PE Rich header

File e77b007c9a964411c5e33afeec18be32c86963b78f3c3e906b28fcf1382f46c3 has a Rich header of only 8 bytes, which is smaller than the RICH_SIGNATURE structure. This was causing a crash when some of the `rich_xxx` functions were used with this file.
VirusTotal · Jul 24, 2024 · cbc982d · cbc982d
1 parent 6fe197e
commit cbc982d
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
@@ -3391,17 +3391,22 @@ static uint64_t _rich_version(
   rich_length = yr_get_integer(module, "rich_signature.length");
   rich_string = yr_get_string(module, "rich_signature.clear_data");
 
-  // If the clear_data was not set, return YR_UNDEFINED
+  // If clear_data was not set, return YR_UNDEFINED
   if (rich_string == NULL)
     return YR_UNDEFINED;
 
+  // File e77b007c9a964411c5e33afeec18be32c86963b78f3c3e906b28fcf1382f46c3
+  // has a Rich header of length 8, which is smaller than RICH_SIGNATURE and
+  // causes a crash.
+  if (rich_length < sizeof(RICH_SIGNATURE))
+    return YR_UNDEFINED;
+
   if (version == YR_UNDEFINED && toolid == YR_UNDEFINED)
-    return false;
+    return 0;
 
   clear_rich_signature = (PRICH_SIGNATURE) rich_string->c_string;
 
   // Loop over the versions in the rich signature
-
   rich_count = (rich_length - sizeof(RICH_SIGNATURE)) /
                sizeof(RICH_VERSION_INFO);