[Forensics-changes] [yara] 261/407: Fix issue #218

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.3.0
in repository yara.

commit 161e324fb6c90274f029a1ef5ec74d7662d46b4b
Author: Victor M. Alvarez <plusvic at gmail.com>
Date:   Wed Dec 24 11:55:13 2014 +0100

    Fix issue #218
---
 libyara/parser.c     | 9 +++++++++
 yara-python/tests.py | 4 ++++
 2 files changed, 13 insertions(+)

diff --git a/libyara/parser.c b/libyara/parser.c
index e1d340a..e618fda 100644
--- a/libyara/parser.c
+++ b/libyara/parser.c
@@ -289,6 +289,15 @@ int _yr_parser_write_string(
       flags |= STRING_GFLAGS_LITERAL;
       free_literal = TRUE;
     }
+    else
+    {
+      // Non-literal strings can't be marked as fixed offset because once we
+      // find a string atom in the scanned data we don't know the offset where
+      // the string should start, as the non-literal strings can contain
+      // variable-length portions.
+
+      flags &= ~STRING_GFLAGS_FIXED_OFFSET;
+    }
   }
   else
   {
diff --git a/yara-python/tests.py b/yara-python/tests.py
index 9cc5ad7..f5e2b7a 100644
--- a/yara-python/tests.py
+++ b/yara-python/tests.py
@@ -467,6 +467,10 @@ class TestYara(unittest.TestCase):
             'rule test { strings: $a = "ssi" condition: $a at 2 and $a at 5 }',
         ], 'mississippi')
 
+        self.assertTrueRules([
+            'rule test { strings: $a = { 00 00 00 00 ?? 74 65 78 74 } condition: $a at 308}',
+        ], PE32_FILE)
+
     def testOffset(self):
 
         self.assertTrueRules([

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git