Apply stricter sanity checks while parsing PE resources.

Corrupted file `c10a733e4899dbd03d537d7832efa71016f618e9fd1bffa35b8265df359a91f8` was producing tons of invalid resource entries.
VirusTotal · Mar 8, 2024 · c009195 · c009195
1 parent a024154
commit c009195
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
@@ -451,11 +451,12 @@ static int _pe_iterate_resources(
 
   entry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY) (resource_dir + 1);
 
+  if (!fits_in_pe(
+          pe, entry, total_entries * sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY)))
+    return result;
+
   for (i = 0; i < total_entries; i++)
   {
-    if (!struct_fits_in_pe(pe, entry, IMAGE_RESOURCE_DIRECTORY_ENTRY))
-      break;
-
     switch (rsrc_tree_level)
     {
     case 0: