[Forensics-changes] [yara] 111/368: Fix issue #368

Sat Jul 1 10:30:18 UTC 2017

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit 4a532176bd1c973954cf859591b3747f7f76a096
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Wed Nov 11 12:18:26 2015 +0100

    Fix issue #368
---
 libyara/scan.c | 43 ++++++++++++++-----------------------------
 1 file changed, 14 insertions(+), 29 deletions(-)

diff --git a/libyara/scan.c b/libyara/scan.c
index 1cb5bcf..7c2bab0 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -284,38 +284,23 @@ int _yr_scan_fast_hex_re_exec(
 
           break;
 
-        case RE_OPCODE_SPLIT_B:
-
-          // This is how the code looks like after the SPLIT:
-          //            split L3, L4    (3 bytes long)
-          //        L3: any             (1 byte long)
-          //        L4: ...
-          //
-          // The opcode following the ANY is located at ip + 4
-
-          if (sp >= MAX_FAST_HEX_RE_STACK)
-            return -4;
-
-          code_stack[sp] = ip + 4;
-          input_stack[sp] = current_input;
-          matches_stack[sp] = matches;
-          sp++;
-          ip += 3;
-
-          break;
-
         case RE_OPCODE_PUSH:
 
-          // This is how the code looks like after the PUSH:
+          // A PUSH operation indicates the begining of a code sequence 
+          // generated for a jump. (example: { 01 02 [n-m] 03 04 }) The
+          // code sequence looks like this:
           //
           //            push m-n-1        (3 bytes long)
           //        L0: split L1, L2      (3 bytes long)
           //        L1: any               (1 byte long)
           //            jnz L0            (3 bytes long)
           //        L2: pop               (1 byte long)
-          //            ...
+          //            split L3, L4      (3 bytes long)
+          //        L3: any               (1 byte long)
+          //        L4: ...
+          //                               15 bytes in total
 
-          for (i = *(uint16_t*)(ip + 1); i > 0; i--)
+          for (i = *(uint16_t*)(ip + 1) + 1; i > 0; i--)
           {
             if (flags & RE_FLAGS_BACKWARDS)
             {
@@ -330,23 +315,23 @@ int _yr_scan_fast_hex_re_exec(
                 continue;
             }
 
-            // The opcode following the POP is located at ip + 11
+            // The opcode following the sequence is located at ip + 15
 
-            if ( *(ip + 11) != RE_OPCODE_LITERAL ||
-                (*(ip + 11) == RE_OPCODE_LITERAL &&
-                 *(ip + 12) == *next_input))
+            if ( *(ip + 15) != RE_OPCODE_LITERAL ||
+                (*(ip + 15) == RE_OPCODE_LITERAL &&
+                 *(ip + 16) == *next_input))
             {
               if (sp >= MAX_FAST_HEX_RE_STACK)
                 return -4;
 
-              code_stack[sp] = ip + 11;
+              code_stack[sp] = ip + 15;
               input_stack[sp] = next_input;
               matches_stack[sp] = matches + i;
               sp++;
             }
           }
 
-          ip += 11;
+          ip += 15;
           break;
 
         default:

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

