[Forensics-changes] [yara] 111/368: Fix issue #368
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:18 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 4a532176bd1c973954cf859591b3747f7f76a096
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Wed Nov 11 12:18:26 2015 +0100
Fix issue #368
---
libyara/scan.c | 43 ++++++++++++++-----------------------------
1 file changed, 14 insertions(+), 29 deletions(-)
diff --git a/libyara/scan.c b/libyara/scan.c
index 1cb5bcf..7c2bab0 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -284,38 +284,23 @@ int _yr_scan_fast_hex_re_exec(
break;
- case RE_OPCODE_SPLIT_B:
-
- // This is how the code looks like after the SPLIT:
- // split L3, L4 (3 bytes long)
- // L3: any (1 byte long)
- // L4: ...
- //
- // The opcode following the ANY is located at ip + 4
-
- if (sp >= MAX_FAST_HEX_RE_STACK)
- return -4;
-
- code_stack[sp] = ip + 4;
- input_stack[sp] = current_input;
- matches_stack[sp] = matches;
- sp++;
- ip += 3;
-
- break;
-
case RE_OPCODE_PUSH:
- // This is how the code looks like after the PUSH:
+ // A PUSH operation indicates the begining of a code sequence
+ // generated for a jump. (example: { 01 02 [n-m] 03 04 }) The
+ // code sequence looks like this:
//
// push m-n-1 (3 bytes long)
// L0: split L1, L2 (3 bytes long)
// L1: any (1 byte long)
// jnz L0 (3 bytes long)
// L2: pop (1 byte long)
- // ...
+ // split L3, L4 (3 bytes long)
+ // L3: any (1 byte long)
+ // L4: ...
+ // 15 bytes in total
- for (i = *(uint16_t*)(ip + 1); i > 0; i--)
+ for (i = *(uint16_t*)(ip + 1) + 1; i > 0; i--)
{
if (flags & RE_FLAGS_BACKWARDS)
{
@@ -330,23 +315,23 @@ int _yr_scan_fast_hex_re_exec(
continue;
}
- // The opcode following the POP is located at ip + 11
+ // The opcode following the sequence is located at ip + 15
- if ( *(ip + 11) != RE_OPCODE_LITERAL ||
- (*(ip + 11) == RE_OPCODE_LITERAL &&
- *(ip + 12) == *next_input))
+ if ( *(ip + 15) != RE_OPCODE_LITERAL ||
+ (*(ip + 15) == RE_OPCODE_LITERAL &&
+ *(ip + 16) == *next_input))
{
if (sp >= MAX_FAST_HEX_RE_STACK)
return -4;
- code_stack[sp] = ip + 11;
+ code_stack[sp] = ip + 15;
input_stack[sp] = next_input;
matches_stack[sp] = matches + i;
sp++;
}
}
- ip += 11;
+ ip += 15;
break;
default:
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list