fix: limit function and DLL names for exports in PE module (#443)

vojone · plusvic · web-flow · commit 63bec4dc5a70 · 2025-09-11T14:04:49.000Z
The PE parser now protects agains huge DLL and function names in PE exports.

---------

Co-authored-by: Victor M. Alvarez &lt;vmalvarez@virustotal.com&gt;
diff --git a/lib/src/modules/pe/parser.rs b/lib/src/modules/pe/parser.rs
@@ -540,6 +540,7 @@ impl<'a> PE<'a> {
     const MAX_PE_RESOURCES: usize = 65536;
     const MAX_DIR_ENTRIES: usize = 16;
     const MAX_FUNC_NAME_LENGTH: usize = 1024;
+    const MAX_DLL_NAME_LENGTH: usize = 512;
 
     fn parse_dos_header(input: &[u8]) -> IResult<&[u8], DOSHeader> {
         map(
@@ -2136,7 +2137,8 @@ impl<'a> PE<'a> {
                     })
             {
                 if let Some(name_rva) = names.get(idx) {
-                    f.name = self.str_at_rva(*name_rva);
+                    f.name =
+                        self.str_at_rva(*name_rva, Self::MAX_FUNC_NAME_LENGTH);
                 }
             }
 
@@ -2146,7 +2148,8 @@ impl<'a> PE<'a> {
             // really pointing to the function, but to a ASCII string that
             // contains the DLL and function to which this export is forwarded.
             if exports_section.contains(&f.rva) {
-                f.forward_name = self.str_at_rva(f.rva);
+                f.forward_name =
+                    self.str_at_rva(f.rva, Self::MAX_FUNC_NAME_LENGTH);
             } else {
                 f.offset = self.rva_to_offset(f.rva);
             }
@@ -2215,17 +2218,17 @@ impl<'a> PE<'a> {
         parser.parse(data).map(|(_, result)| result).ok()
     }
 
-    fn str_at_rva(&self, rva: u32) -> Option<&'a str> {
-        let dll_name = self.parse_at_rva(rva, take_till(|c| c == 0))?;
-        from_utf8(dll_name).ok()
+    fn str_at_rva(&self, rva: u32, max_len: usize) -> Option<&'a str> {
+        self.parse_at_rva(rva, take_while_m_n(0, max_len, |c| c != 0))
+            .map(|s| from_utf8(s).ok())?
     }
 
     fn dll_name_at_rva(&self, rva: u32) -> Option<&'a str> {
         // TODO: this enforces the DLL name to be valid UTF-8. Is this too
         // restrictive? YARA is using a more relaxed approach and accepts
         // every byte except the ones listed below. YARA imposes a length
         // limit of 256 bytes, though.
-        let dll_name = self.str_at_rva(rva)?;
+        let dll_name = self.str_at_rva(rva, Self::MAX_DLL_NAME_LENGTH)?;
 
         for c in dll_name.chars() {
             if c.is_ascii_control() {
