Merge branch 'avast:master' into master

Author: scc-tw

.github/workflows/macOS/install-deps.sh

@@ -1,4 +1,4 @@
 #!/usr/bin/bash
 
-brew install pkg-config autoconf automake libtool openssl python@3.7
-brew link --overwrite python@3.7
+brew install pkg-config autoconf automake libtool openssl python@3.10
+brew link --overwrite python@3.10

.github/workflows/retdec-ci.yml

@@ -110,7 +110,7 @@ jobs:
 
   docs-build:
     name: doxygen-build (Linux)
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
 
     steps:
       # Checkouts the correct commit/branch.

src/bin2llvmir/optimizations/decoder/decoder_init.cpp

@@ -21,7 +21,6 @@ namespace bin2llvmir {
 /**
  * Initialize capstone2llvmir translator according to the architecture of
  * file to decompile.
- * @return @c True if error, @c false otherwise.
  */
 void Decoder::initTranslator()
 {

src/bin2llvmir/optimizations/idioms/idioms_abstract.cpp

@@ -44,7 +44,6 @@ bool IdiomsAbstract::findBranchDependingOn(llvm::BranchInst ** br, llvm::BasicBl
  *
  * @param val instruction value to look for
  * @param bb BasicBlock to erase instruction from
- * @return void
  */
 void IdiomsAbstract::eraseInstFromBasicBlock(llvm::Value * val, llvm::BasicBlock * bb) {
 	for (llvm::BasicBlock::iterator end = bb->end(), i = bb->begin(); i != end; ++i) {

src/config/parameters.cpp

@@ -476,7 +476,6 @@ void Parameters::fixRelativePaths(const std::string& configPath)
 
 /**
  * Returns JSON object (associative array) holding parameters information.
- * @return JSON object.
  */
 template <typename Writer>
 void Parameters::serialize(Writer& writer) const

src/cpdetect/heuristics/heuristics.cpp

@@ -585,8 +585,6 @@ bool Heuristics::parseOpen64Comment(const std::string &record)
 
 /**
  * Try to detect used compiler based on content of comment sections
- * @return @c true if used compiler was successfully detected,
- *         @c false otherwise
  */
 void Heuristics::getCommentSectionsHeuristics()
 {

src/fileformat/file_format/pe/pe_format.cpp

@@ -2160,6 +2160,10 @@ void PeFormat::loadDotnetHeaders()
 	metadataHeader->setVersion(version);
 	metadataHeader->setFlags(flags);
 
+	// Check if it is actually a .NET application, this check is important to be aligned with YARA scanning
+	if (!isDotNet())
+		return;
+
 	auto currentAddress = metadataHeaderStreamsHeader + 4;
 	for (std::uint64_t i = 0; i < streamCount; ++i)
 	{
@@ -2593,6 +2597,13 @@ void PeFormat::parseStringStream(std::uint64_t baseAddress, std::uint64_t offset
 	while (currentOffset < size)
 	{
 		std::string string;
+		std::uint64_t c = 0;
+		auto successful_read = get1Byte(address + currentOffset, c, getEndianness());
+		// If the reading fails (OOB or other) don't continue and terminate
+		if (!successful_read)
+		{
+			break;
+		}
 		getNTBS(address + currentOffset, string);
 		stringStream->addString(currentOffset, string);
 		// +1 for null-terminator

src/fileformat/types/dotnet_types/dotnet_type_reconstructor.cpp

@@ -666,6 +666,10 @@ bool DotnetTypeReconstructor::reconstructNestedClasses()
 		if (enclosingItr == defClassTable.end())
 			continue;
 
+		// Ignore self-references
+		if (nestedItr == enclosingItr)
+			continue;
+
 		const std::string& namespac = nestedItr->second->getNameSpace();
 		if (namespac.empty())
 		{

src/fileinfo/file_information/file_information.cpp

@@ -1342,7 +1342,6 @@ std::string FileInformation::getDepsListFailedToLoad() const
 
 /**
  * Sets the name of the dependency file that failed to load
- * @return Nothing
  */
 void FileInformation::setDepsListFailedToLoad(const std::string & depsList)
 {

support/yara_patterns/tools/pe/x86/packers.yara

@@ -6,12 +6,24 @@
 import "pe"
 import "dotnet"
 
+rule AppPacker_1_3_x {
+	meta:
+		tool = "P"
+		name = "AppPacker 1.3.x"
+	strings:
+		$h01 = { 3C 53 65 72 47 72 65 65 6E 3E }               // Overlay: "<SerGreen>"
+	condition:
+		pe.data_directories[0x0E].virtual_address != 0 and    // No pe.is_dotnet in retdec's YARA
+		pe.version_info["Comments"] contains "Packed portable application inside" and
+		pe.version_info["CompanyName"] contains "SerGreen" and
+		$h01 at pe.overlay.offset
+}
+
 rule blizzard_protector {
 	meta:
 		tool = "P"
-		name = "!EP"
+		name = "BlizzardProtector"
 		version = "1.0"
-		extra = "BlizzardProtector"
 	condition:
 		filesize > 5MB and
 		(pe.sections[4].name == "_RDATA" or pe.sections[5].name == "_RDATA" or pe.sections[6].name == "_RDATA" or pe.sections[7].name == "_RDATA") and
@@ -42,6 +54,23 @@ rule blizzard_protector {
 		)
 }
 
+rule cfusion_app_25
+{
+	meta:
+		tool = "P"
+		name = "Clickteam Fusion"
+		version = "2.5"
+	strings:
+		$s01 = "cf25appsync" wide               // Created mutex
+		$s02 = ".00.FusionApp" wide             // Temporary directory suffix
+		$s03 = "Mf2MainClassTh" wide            // Window class
+	condition:
+		pe.is_32bit() and
+		pe.exports("NvOptimusEnablement") and   // Causes AMD drivers to select the most optimal GPU
+		pe.exports("AmdPowerXpressRequestHighPerformance") and
+		all of them
+}
+
 rule ep_exepack_10 {
 	meta:
 		tool = "P"