You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Platform: windows 19044.1706
goblin version: 0.5.1
Expected behavior
When I parse the string table in a coff file, I expect it to return me just the strings that exist in the symbol table.
Actual behavior
The string table parsing code instead returns three extra strings in the beginning of the list of strings.
The problem seems to be due to the fact we don't update the offset before reading the strings.
Repro
You'll need to have the nasm (https://nasm.us/) assembler installed to assemble the program below:
The bug seems to be in the header.rs file (https://docs.rs/goblin/0.5.1/src/goblin/pe/header.rs.html#177). The code doesn't advance the offset by 4 (number of bytes for the string table size field). It ends up reading the 4 bytes as 3 different strings, which makes sense. The size should be 16 (0x10), so the first two bytes it reads make 0x10 and end at the third byte (0x0). The two other strings come from reading the subsequent 0x0.
The text was updated successfully, but these errors were encountered:
* Fix issue #309 - Advance offset by string table field size
There's a bug in master where the code ends up misreading the symbol table because we don't advance the offset prior to reading the strings.
This change fixes the issue by adding the correct value to the offset and also includes a unit test that covers this case.
Platform: windows 19044.1706
goblin version: 0.5.1
Expected behavior
When I parse the string table in a coff file, I expect it to return me just the strings that exist in the symbol table.
Actual behavior
The string table parsing code instead returns three extra strings in the beginning of the list of strings.
The problem seems to be due to the fact we don't update the offset before reading the strings.
Repro
You'll need to have the nasm (https://nasm.us/) assembler installed to assemble the program below:
Assemble the program using this command:
nasm -f win64 repro.asm -o repro.obj
And this is an example of a Rust program that reads a Coff file and dumps all the strings found in its string table:
Run the program with
cargo run repro.obj
.Actual output
Expected output
The bug seems to be in the header.rs file (https://docs.rs/goblin/0.5.1/src/goblin/pe/header.rs.html#177). The code doesn't advance the offset by 4 (number of bytes for the string table size field). It ends up reading the 4 bytes as 3 different strings, which makes sense. The size should be 16 (0x10), so the first two bytes it reads make 0x10 and end at the third byte (0x0). The two other strings come from reading the subsequent 0x0.
The text was updated successfully, but these errors were encountered: