Segfault caused when Java classfiles are scanned as Mach-O files in Yara 4.0.1 and 4.0.2

[melina-delgado]

Yara version: 4.0.2, 4.0.1

Hello everyone,

A neat thing I recently learned is that Java classfiles have the same file magic as Mach-O Fat binaries. This means that the Yara macho module will try to parse Java classfiles as Mach-O files. This is the culprit line https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L1349

The following I have found just by stepping through gdb.

For most class files, when we enter the macho_parse_fat_file function, we do not enter macho_parse_file function here: https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L701

However, for a few, we do. This is because we do not enter this line: https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L694 . So, it enters the macho_parse_file function and we hit a segfault in line 555 of macho.c . I see that the reserved variable doesn't seem to be used so there might be some other bugs in the macho.c file.

I have attached a sample rule and sample Java classfile in a zipfile that replicates the issue.
yara_402_bug_zip.zip

[plusvic]

Fixed in 510f366