Fix regression introduced in 6209630

One section entry was being ignored while parsing file b200f89fe313b6311e444e37725cae95127797ddb430e711c788c264acf92eb0 because we were forcing every resource entry to be shorter than the PE itself. Although this sanity check makes sense, with truncated files this can lead to resource entries that are ignored. Here we make the sanity check more permissive, allowing entries that are larger than the PE file, but rejecting entries with ridiculously large sizes.
VirusTotal · Sep 10, 2024 · 44fd094 · 44fd094
1 parent 5194025
commit 44fd094
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
@@ -509,7 +509,11 @@ static int _pe_iterate_resources(
  if (struct_fits_in_pe(pe, data_entry, IMAGE_RESOURCE_DATA_ENTRY))
  {
  if (yr_le32toh(data_entry->Size) > 0 &&
- yr_le32toh(data_entry->Size) < pe->data_size)
+ // We could use the PE's size as an upper bound for the entry size,
+ // but there are some truncated files where the PE size is lower.
+ // Use a reasonably large value as the upper bound and avoid some
+ // completely corrupt entries with random values.
+ yr_le32toh(data_entry->Size) <= 0x3FFFFFFF)
  {
  if (callback(
  data_entry,