Give PeImageReader the power to read certificate entries.

chrome/common/safe_browsing/pe_image_reader_win.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/safe_browsing/pe_image_reader_win.h"
 
+#include <wintrust.h>
+
 #include "base/logging.h"
 
 namespace safe_browsing {
 
 // A class template of traits pertaining to IMAGE_OPTIONAL_HEADER{32,64}.
 template<class HEADER_TYPE>
 struct OptionalHeaderTraits {
 };
 
 template<>
@@ skipping 132 matching lines @@
 
   const IMAGE_DEBUG_DIRECTORY& entry = entries[index];
   const uint8_t* debug_data = NULL;
   if (GetStructureAt(entry.PointerToRawData, entry.SizeOfData, &debug_data)) {
     *raw_data = debug_data;
     *raw_data_size = entry.SizeOfData;
   }
   return &entry;
 }
 
+bool PeImageReader::EnumCertificates(EnumCertificatesCallback callback,
+                                     void* context) {
+  size_t data_size = 0;
+  const uint8_t* data = GetImageData(IMAGE_DIRECTORY_ENTRY_SECURITY,
+                                     &data_size);
+  if (!data)
+    return false;  // Certificate table is out of bounds.
+  const size_t kWinCertificateSize = offsetof(WIN_CERTIFICATE, bCertificate);
+  while (data_size) {
+    const WIN_CERTIFICATE* win_certificate =
+        reinterpret_cast<const WIN_CERTIFICATE*>(data);
+    if (kWinCertificateSize > data_size ||
+        kWinCertificateSize > win_certificate->dwLength ||
+        win_certificate->dwLength > data_size) {
+      return false;
+    }
+    if (!(*callback)(win_certificate->wRevision,
+                     win_certificate->wCertificateType,
+                     &win_certificate->bCertificate[0],
+                     win_certificate->dwLength - kWinCertificateSize,
+                     context)) {
+      return false;
+    }
+    data_size -= (win_certificate->dwLength + 7) & ~0x7;

[mattm, 2015/04/01 22:49:52]

data needs to be incremented also?

[grt (UTC plus 2), 2015/04/02 02:59:36]

Yes. Nice catch.

+  }
+  return true;
+}
+
 void PeImageReader::Clear() {
   image_data_ = NULL;
   image_size_ = 0;
   validation_state_ = 0;
   optional_header_.reset();
 }
 
 bool PeImageReader::ValidateDosHeader() {
   const IMAGE_DOS_HEADER* dos_header = NULL;
   if (!GetStructureAt(0, &dos_header) ||
@@ skipping 133 matching lines @@
   }
   return NULL;
 }
 
 const uint8_t* PeImageReader::GetImageData(size_t index, size_t* data_length) {
   // Get the requested directory entry.
   const IMAGE_DATA_DIRECTORY* entry = GetDataDirectoryEntryAt(index);
   if (!entry)
     return NULL;
 
+  // The entry for the certificate table is special in that its addres is a file

[mattm, 2015/04/01 22:49:52]

address

[grt (UTC plus 2), 2015/04/02 02:59:36]

Done.

+  // pointer rather than an RVA.
+  if (index == IMAGE_DIRECTORY_ENTRY_SECURITY) {
+    // Does the data fit within the file.
+    if (entry->VirtualAddress > image_size_ ||
+        image_size_ - entry->VirtualAddress < entry->Size) {
+      return nullptr;
+    }
+    *data_length = entry->Size;
+    return image_data_ + entry->VirtualAddress;
+  }
+
   // Find the section containing the data.
   const IMAGE_SECTION_HEADER* header =
       FindSectionFromRva(entry->VirtualAddress);
   if (!header)
     return NULL;
 
   // Does the data fit within the section when mapped?
   size_t data_offset = entry->VirtualAddress - header->VirtualAddress;
   if (entry->Size > (header->Misc.VirtualSize - data_offset))
     return NULL;
 
   // Is the data entirely present on disk (if not it's zeroed out when loaded)?
   if (data_offset >= header->SizeOfRawData ||
       header->SizeOfRawData - data_offset < entry->Size) {
     return NULL;
   }
 
   *data_length = entry->Size;
   return image_data_ + header->PointerToRawData + data_offset;
 }
 
 }  // namespace safe_browsing