Skip to content

Commit

Permalink
Fix inconsistency with --fast-scan option.
Browse files Browse the repository at this point in the history
Some rules were not matching when the `--fast-scan` flag was used, but they should. It happened with rules that contained statements like `any of  <string_set> in <range>` or `any of <string_set> at <offset>`. With this type of expressions, the strings included in `<string_set>` can't be flagged with `STRING_FLAGS_SINGLE_MATCH` because we need to find all the occurrences of those strings. Finding only the first match is not enough because the condition can be true for some other occurrence of the string, but not with the first one..

With this change the flag `STRING_FLAGS_SINGLE_MATCH` is cleared for every string included in a string set. This is a radical way of fixing the issue, as the flag is cleared in other cases where this is not necessary, like in `any of <string_set>`, where finding the first occurrence of each string in the set is enough. But I don't want to add more complexity and correctness should prevail over performance.
  • Loading branch information
plusvic committed Aug 23, 2023
1 parent 8f40272 commit 4de3d57
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions libyara/parser.c
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ int yr_parser_emit_pushes_for_strings(

string->flags |= STRING_FLAGS_REFERENCED;
string->flags &= ~STRING_FLAGS_FIXED_OFFSET;
string->flags &= ~STRING_FLAGS_SINGLE_MATCH;
matching++;
}
}
Expand Down

0 comments on commit 4de3d57

Please sign in to comment.