From c009195c1e08da559600be94a78a14c2beb06d6b Mon Sep 17 00:00:00 2001
From: "Victor M. Alvarez" <vmalvarez@virustotal.com>
Date: Fri, 8 Mar 2024 12:28:57 +0100
Subject: [PATCH] Apply stricter sanity checks while parsing PE resources.

Corrupted file `c10a733e4899dbd03d537d7832efa71016f618e9fd1bffa35b8265df359a91f8` was producing tons of invalid resource entries.
---
 libyara/modules/pe/pe.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
index dd5c424832..457b03422c 100644
--- a/libyara/modules/pe/pe.c
+++ b/libyara/modules/pe/pe.c
@@ -451,11 +451,12 @@ static int _pe_iterate_resources(
 
   entry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY) (resource_dir + 1);
 
+  if (!fits_in_pe(
+          pe, entry, total_entries * sizeof(IMAGE_RESOURCE_DIRECTORY_ENTRY)))
+    return result;
+
   for (i = 0; i < total_entries; i++)
   {
-    if (!struct_fits_in_pe(pe, entry, IMAGE_RESOURCE_DIRECTORY_ENTRY))
-      break;
-
     switch (rsrc_tree_level)
     {
     case 0: