Return YR_UNDEFINED when offset is not valid (#1881)

TommYDeeee · web-flow · commit 148dac678849 · 2023-03-22T09:50:15.000+01:00
diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
@@ -1622,6 +1622,8 @@ static void pe_parse_exports(PE* pe)
     }
     else
     {
+      if (offset < 0)
+        offset = YR_UNDEFINED;
       yr_set_integer(offset, pe->object, "export_details[%i].offset", exp_sz);
     }
 
diff --git a/tests/data/05cd06e6a202e12be22a02700ed6f1604e803ca8867277d852e8971efded0650 b/tests/data/05cd06e6a202e12be22a02700ed6f1604e803ca8867277d852e8971efded0650
diff --git a/tests/test-pe.c b/tests/test-pe.c
@@ -913,6 +913,18 @@ int main(int argc, char** argv)
       }",
       "tests/data/c6f9709feccf42f2d9e22057182fe185f177fb9daaa2649b4669a24f2ee7e3ba_0h_410h");
 
+  assert_true_rule_file(
+      "import \"pe\" \
+      rule invalid_offset { \
+        condition: \
+          not defined pe.export_details[0].offset and  \
+          not defined pe.export_details[7].offset and  \
+          not defined pe.export_details[15].offset and \
+          not defined pe.export_details[21].offset     \
+      }",
+      "tests/data/"
+      "05cd06e6a202e12be22a02700ed6f1604e803ca8867277d852e8971efded0650");
+
   yr_finalize();
 
   YR_DEBUG_FPRINTF(

Original file line number	Diff line number	Diff line change
`@@ -1622,6 +1622,8 @@ static void pe_parse_exports(PE* pe)`
`1622`	`1622`	`}`
`1623`	`1623`	`else`
`1624`	`1624`	`{`
	`1625`	`+ if (offset < 0)`
	`1626`	`+ offset = YR_UNDEFINED;`
`1625`	`1627`	`yr_set_integer(offset, pe->object, "export_details[%i].offset", exp_sz);`
`1626`	`1628`	`}`
`1627`	`1629`