void-packages/srcpkgs/yara/patches/CVE-2018-1997{4-6}.patch

From 0a3ede0125c8b88a020fa4c98df78f6eea7eb9ab Mon Sep 17 00:00:00 2001
From: "Victor M. Alvarez" <plusvic@gmail.com>
Date: Thu, 13 Dec 2018 12:23:09 +0100
Subject: [PATCH] Fix issue #999 (#1001)

* Add additional check in OP_COUNT for making sure that the string pointer is not a fake one.

* Initialize scratch memory in order to avoid maliciously crafted YARA rules from reading values left in the stack.
---
 libyararena.c              | 10 +++++-----
 libyarexec.c               | 11 +++++++++++
 libyarinclude/yara/arena.h |  5 +++++
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git libyara/arena.c libyara/arena.c
index 34a374ef..805f6d70 100644
--- libyara/arena.c
+++ libyararena.c
@@ -109,7 +109,7 @@ static YR_ARENA_PAGE* _yr_arena_new_page(
 
 
 //
-// _yr_arena_page_for_address
+// yr_arena_page_for_address
 //
 // Returns the page within the arena where an address reside.
 //
@@ -122,7 +122,7 @@ static YR_ARENA_PAGE* _yr_arena_new_page(
 //    resides.
 //
 
-static YR_ARENA_PAGE* _yr_arena_page_for_address(
+YR_ARENA_PAGE* yr_arena_page_for_address(
     YR_ARENA* arena,
     void* address)
 {
@@ -184,7 +184,7 @@ static int _yr_arena_make_ptr_relocatable(
   // If the arena must be relocatable.
   assert(arena->flags & ARENA_FLAGS_RELOCATABLE);
 
-  page = _yr_arena_page_for_address(arena, base);
+  page = yr_arena_page_for_address(arena, base);
 
   assert(page != NULL);
 
@@ -361,7 +361,7 @@ void* yr_arena_next_address(
 {
   YR_ARENA_PAGE* page;
 
-  page = _yr_arena_page_for_address(arena, address);
+  page = yr_arena_page_for_address(arena, address);
 
   assert(page != NULL);
 
@@ -482,7 +482,7 @@ int yr_arena_coalesce(
 
     if (reloc_target != NULL)
     {
-      page = _yr_arena_page_for_address(arena, reloc_target);
+      page = yr_arena_page_for_address(arena, reloc_target);
       assert(page != NULL);
       *reloc_address = page->new_address + (reloc_target - page->address);
     }
diff --git libyara/exec.c libyara/exec.c
index a0cf138d..9f0ba8fa 100644
--- libyara/exec.c
+++ libyarexec.c
@@ -246,6 +246,10 @@ int yr_execute_code(
   start_time = yr_stopwatch_elapsed_us(&context->stopwatch);
   #endif
 
+  #if PARANOID_EXEC
+  memset(mem, 0, MEM_SIZE * sizeof(mem[0]));
+  #endif
+
   while(!stop)
   {
     opcode = *ip;
@@ -779,6 +783,13 @@ int yr_execute_code(
 
       case OP_COUNT:
         pop(r1);
+
+        #if PARANOID_EXEC
+        // Make sure that the string pointer is within the rules arena.
+        if (yr_arena_page_for_address(context->rules->arena, r1.p) == NULL)
+          return ERROR_INTERNAL_FATAL_ERROR;
+        #endif
+
         r1.i = r1.s->matches[tidx].count;
         push(r1);
         break;
diff --git libyara/include/yara/arena.h libyara/include/yara/arena.h
index 51f2d8cf..a42e594b 100644
--- libyara/include/yara/arena.h
+++ libyarinclude/yara/arena.h
@@ -101,6 +101,11 @@ void* yr_arena_base_address(
     YR_ARENA* arena);
 
 
+YR_ARENA_PAGE* yr_arena_page_for_address(
+    YR_ARENA* arena,
+    void* address);
+
+
 void* yr_arena_next_address(
     YR_ARENA* arena,
     void* address,