From 3f5b4c73d942ed88165647aaa97658d43098de8a Mon Sep 17 00:00:00 2001
From: "Victor M. Alvarez" <vmalvarez@virustotal.com>
Date: Wed, 29 May 2024 12:15:44 +0200
Subject: [PATCH] Limit resource names to 1000 character at most.

Fixes high memory usage with corrupt files like bd15a7227770d89546e0a16e4c8da45937d970baa810827a7ceb17abd3138fec.
---
 libyara/modules/pe/pe.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
index b30c6f01d4..3540a92f4e 100644
--- a/libyara/modules/pe/pe.c
+++ b/libyara/modules/pe/pe.c
@@ -380,7 +380,6 @@ static void pe_parse_debug_directory(PE* pe)
 // Return a pointer to the resource directory string or NULL.
 // The callback function will parse this and call yr_set_sized_string().
 // The pointer is guaranteed to have enough space to contain the entire string.
-
 static const PIMAGE_RESOURCE_DIR_STRING_U parse_resource_name(
     PE* pe,
     const uint8_t* rsrc_data,
@@ -397,10 +396,13 @@ static const PIMAGE_RESOURCE_DIR_STRING_U parse_resource_name(
 
     // A resource directory string is 2 bytes for the length and then a variable
     // length Unicode string. Make sure we have at least 2 bytes.
-
     if (!fits_in_pe(pe, pNameString, 2))
       return NULL;
 
+    // Sanity check for strings that are excesively large.
+    if (pNameString->Length > 1000)
+      return NULL;
+
     // Move past the length and make sure we have enough bytes for the string.
     if (!fits_in_pe(
             pe,