Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ba78a72

Browse files
wxsBSDwxsBSD
authored
Don't recurse infinitely. (#1794)
Fix infinite recursion when parsing a malformed binary, discovered by clusterfuzz. Fixes #1793.
1 parent e112951 commit ba78a72

1 file changed

Lines changed: 8 additions & 7 deletions

File tree

libyara/modules/dotnet/dotnet.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -634,7 +634,8 @@ static char* get_type_def_or_ref_fullname(
634634
const CLASS_CONTEXT* ctx,
635635
uint32_t coded_index,
636636
GENERIC_PARAMETERS* class_gen_params,
637-
GENERIC_PARAMETERS* method_gen_params)
637+
GENERIC_PARAMETERS* method_gen_params,
638+
uint32_t depth) // against loops
638639
{
639640
// first 2 bits define table, index starts with third bit
640641
uint32_t index = coded_index >> 2;
@@ -714,7 +715,7 @@ static char* get_type_def_or_ref_fullname(
714715
// Valid blob
715716
if (blob_res.size)
716717
return parse_signature_type(
717-
ctx, &sig_data, &sig_len, class_gen_params, NULL, 0);
718+
ctx, &sig_data, &sig_len, class_gen_params, NULL, depth);
718719
}
719720
}
720721
return NULL;
@@ -729,7 +730,7 @@ static char* parse_signature_type(
729730
uint32_t depth // against loops
730731
)
731732
{
732-
// If atleast first type fits and we are not too nested
733+
// If at least first type fits and we are not too nested
733734
if (*len < 1 || !fits_in_pe(ctx->pe, *data, 1) || depth > MAX_TYPE_DEPTH)
734735
return NULL;
735736

@@ -859,7 +860,7 @@ static char* parse_signature_type(
859860
// followed by TypeDefOrRefOrSpecEncoded index
860861
coded_index = read_blob_unsigned(data, len);
861862
return get_type_def_or_ref_fullname(
862-
ctx, coded_index, class_gen_params, method_gen_params);
863+
ctx, coded_index, class_gen_params, method_gen_params, depth + 1);
863864
break;
864865

865866
case TYPE_VAR: // Generic class Var
@@ -1090,7 +1091,7 @@ static void parse_type_parents(
10901091
{
10911092
// Find the parent class
10921093
char* parent = get_type_def_or_ref_fullname(
1093-
ctx, extends, class_gen_params, NULL);
1094+
ctx, extends, class_gen_params, NULL, 0);
10941095

10951096
uint32_t base_type_idx = 0;
10961097
if (parent)
@@ -1121,7 +1122,7 @@ static void parse_type_parents(
11211122
if (row.Class == type_idx)
11221123
{
11231124
char* inteface = get_type_def_or_ref_fullname(
1124-
ctx, row.Interface, class_gen_params, NULL);
1125+
ctx, row.Interface, class_gen_params, NULL, 0);
11251126
if (inteface)
11261127
{
11271128
yr_set_string(
@@ -1360,7 +1361,7 @@ static void parse_methods(
13601361

13611362
uint32_t param_count = 0;
13621363
char* return_type = NULL;
1363-
// If there is valid blob and atleast minimum to parse
1364+
// If there is valid blob and at least minimum to parse
13641365
// (flags, paramCount, retType) parse these basic information
13651366
if (blob_res.size && sig_len >= 3)
13661367
{

0 commit comments

Comments
 (0)