Skip to content
Permalink
Browse files

Fix heap overflow (reported by Jurriaan Bremer)

When setting a new array item with yr_object_array_set_item() the array size is doubled if the index for the new item is larger than the already allocated ones. No further checks were made to ensure that the index fits into the array after doubling its capacity. If the array capacity was for example 64, and a new object is assigned to an index larger than 128 the overflow occurs. As yr_object_array_set_item() is usually invoked with indexes that increase monotonically by one, this bug never triggered before. But the new "dotnet" module has the potential to allow the exploitation of this bug by scanning a specially crafted .NET binary.
  • Loading branch information...
Victor Manuel Alvarez
Victor Manuel Alvarez committed Jul 5, 2017
1 parent c57c6c1 commit 4a342f01e5439b9bb901aff1c6c23c536baeeb3f
Showing with 16 additions and 1 deletion.
  1. +1 −0 libyara/modules/tests.c
  2. +8 −1 libyara/object.c
  3. +7 −0 tests/test-rules.c
@@ -176,6 +176,7 @@ int module_load(
set_integer(0, module_object, "integer_array[%i]", 0);
set_integer(1, module_object, "integer_array[%i]", 1);
set_integer(2, module_object, "integer_array[%i]", 2);
set_integer(256, module_object, "integer_array[%i]", 256);

set_string("foo", module_object, "string_array[%i]", 0);
set_string("bar", module_object, "string_array[%i]", 1);
@@ -725,7 +725,10 @@ int yr_object_array_set_item(

if (array->items == NULL)
{
count = yr_max(64, (index + 1) * 2);
count = 64;

while (count <= index)
count *= 2;

array->items = (YR_ARRAY_ITEMS*) yr_malloc(
sizeof(YR_ARRAY_ITEMS) + count * sizeof(YR_OBJECT*));
@@ -740,6 +743,10 @@ int yr_object_array_set_item(
else if (index >= array->items->count)
{
count = array->items->count * 2;

while (count <= index)
count *= 2;

array->items = (YR_ARRAY_ITEMS*) yr_realloc(
array->items,
sizeof(YR_ARRAY_ITEMS) + count * sizeof(YR_OBJECT*));
@@ -1395,6 +1395,13 @@ static void test_modules()
}",
NULL);

assert_true_rule(
"import \"tests\" \
rule test { \
condition: tests.integer_array[256] == 256 \
}",
NULL);

assert_true_rule(
"import \"tests\" \
rule test { \

1 comment on commit 4a342f0

@plusvic

This comment has been minimized.

Copy link
Collaborator

commented on 4a342f0 Jul 14, 2017

This bug has been assigned CVE-2017-11328

Please sign in to comment.
You can’t perform that action at this time.