Browse code
yara: fix translation and verification on unbounded wildcard subsequences
Kevin Lin authored on 2015/09/02 01:44:12Showing 1 changed files
| ... | ... |
@@ -3060,7 +3060,13 @@ static char *parse_yara_hex_string(YR_STRING *string, int *ret) |
| 3060 | 3060 |
case '}': |
| 3061 | 3061 |
break; |
| 3062 | 3062 |
case '[': |
| 3063 |
- res[j++] = '{';
|
|
| 3063 |
+ /* unbounded range check */ |
|
| 3064 |
+ if ((i+2 < slen-1) && (str[i+1] == '-') && (str[i+2] == ']')) {
|
|
| 3065 |
+ res[j++] = '*'; |
|
| 3066 |
+ i += 2; |
|
| 3067 |
+ } else {
|
|
| 3068 |
+ res[j++] = '{';
|
|
| 3069 |
+ } |
|
| 3064 | 3070 |
break; |
| 3065 | 3071 |
case ']': |
| 3066 | 3072 |
res[j++] = '}'; |
| ... | ... |
@@ -3249,6 +3255,12 @@ static int yara_subhex_verify(const char *hexstr, const char *end, size_t *maxsu |
| 3249 | 3249 |
while (track != end) {
|
| 3250 | 3250 |
switch (*track) {
|
| 3251 | 3251 |
case '*': |
| 3252 |
+ if (sublen <= 2) {
|
|
| 3253 |
+ if (maxsublen) |
|
| 3254 |
+ *maxsublen = sublen; |
|
| 3255 |
+ cli_warnmsg("load_oneyara[verify]: string has unbounded wildcard on single byte subsequence\n");
|
|
| 3256 |
+ return CL_EMALFDB; |
|
| 3257 |
+ } |
|
| 3252 | 3258 |
case '?': |
| 3253 | 3259 |
if (*track == '?') |
| 3254 | 3260 |
hexbyte = !hexbyte; |