[Forensics-changes] [yara] 135/415: Fix issue 44
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:42:55 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 502916b09a0868726e93187a0ecd24b28890b702
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Tue May 22 12:01:53 2012 +0000
Fix issue 44
---
libyara/scan.c | 958 +++++++++++++++++++++++++++++----------------------------
1 file changed, 480 insertions(+), 478 deletions(-)
diff --git a/libyara/scan.c b/libyara/scan.c
index 099fb10..f0ad915 100644
--- a/libyara/scan.c
+++ b/libyara/scan.c
@@ -58,68 +58,68 @@ static char sranges[2] = {0x61, 0x7a};
int inline compare(char* str1, char* str2, int len)
{
- __m128i s1, s2;
+ __m128i s1, s2;
- int c, result = 0;
+ int c, result = 0;
- do {
+ do {
- s1 = _mm_lddqu_si128((const __m128i*) str1);
- s2 = _mm_lddqu_si128((const __m128i*) str2);
+ s1 = _mm_lddqu_si128((const __m128i*) str1);
+ s2 = _mm_lddqu_si128((const __m128i*) str2);
- c = _mm_cmpestri(s1, len - result, s2, 16, _SIDD_CMP_EQUAL_EACH | _SIDD_MASKED_NEGATIVE_POLARITY);
+ c = _mm_cmpestri(s1, len - result, s2, 16, _SIDD_CMP_EQUAL_EACH | _SIDD_MASKED_NEGATIVE_POLARITY);
- str1 += 16;
- str2 += 16;
+ str1 += 16;
+ str2 += 16;
- result += c;
+ result += c;
- } while(c == 16);
-
- return ((result==len) ? result : 0);
+ } while(c == 16);
+
+ return ((result==len) ? result : 0);
}
int inline icompare(char* str1, char* str2, int len)
{
- __m128i s1, s2, ranges, zeroes, deltas, mask;
+ __m128i s1, s2, ranges, zeroes, deltas, mask;
- int c, result = 0;
+ int c, result = 0;
- ranges = _mm_loadu_si128((const __m128i*) sranges);
- deltas = _mm_loadu_si128((const __m128i*) sdeltas);
- zeroes = _mm_loadu_si128((const __m128i*) szeroes);
+ ranges = _mm_loadu_si128((const __m128i*) sranges);
+ deltas = _mm_loadu_si128((const __m128i*) sdeltas);
+ zeroes = _mm_loadu_si128((const __m128i*) szeroes);
- do {
+ do {
- s1 = _mm_lddqu_si128((const __m128i*) str1);
- s2 = _mm_lddqu_si128((const __m128i*) str2);
+ s1 = _mm_lddqu_si128((const __m128i*) str1);
+ s2 = _mm_lddqu_si128((const __m128i*) str2);
- // producing mask, 0xFF for lowercases, 0x00 for the rest
- mask = _mm_cmpestrm(ranges, 2, s1, len - result, _SIDD_CMP_RANGES | _SIDD_UNIT_MASK);
+ // producing mask, 0xFF for lowercases, 0x00 for the rest
+ mask = _mm_cmpestrm(ranges, 2, s1, len - result, _SIDD_CMP_RANGES | _SIDD_UNIT_MASK);
- // producing mask, 0x20 for lowercases, 0x00 for the rest
- mask = _mm_blendv_epi8(zeroes, deltas, mask);
+ // producing mask, 0x20 for lowercases, 0x00 for the rest
+ mask = _mm_blendv_epi8(zeroes, deltas, mask);
- s1 = _mm_sub_epi8(s1, mask);
+ s1 = _mm_sub_epi8(s1, mask);
- // producing mask, 0xFF for lowercases, 0x00 for the rest
- mask = _mm_cmpestrm(ranges, 2, s2, 16, _SIDD_CMP_RANGES | _SIDD_UNIT_MASK);
+ // producing mask, 0xFF for lowercases, 0x00 for the rest
+ mask = _mm_cmpestrm(ranges, 2, s2, 16, _SIDD_CMP_RANGES | _SIDD_UNIT_MASK);
- // producing mask, 0x20 for lowercases, 0x00 for the rest
- mask = _mm_blendv_epi8(zeroes, deltas, mask);
+ // producing mask, 0x20 for lowercases, 0x00 for the rest
+ mask = _mm_blendv_epi8(zeroes, deltas, mask);
- s2 = _mm_sub_epi8(s2, mask);
+ s2 = _mm_sub_epi8(s2, mask);
- c = _mm_cmpestri(s1, len - result, s2, 16, _SIDD_CMP_EQUAL_EACH | _SIDD_MASKED_NEGATIVE_POLARITY);
+ c = _mm_cmpestri(s1, len - result, s2, 16, _SIDD_CMP_EQUAL_EACH | _SIDD_MASKED_NEGATIVE_POLARITY);
- str1 += 16;
- str2 += 16;
+ str1 += 16;
+ str2 += 16;
- result += c;
+ result += c;
- } while(c == 16);
-
- return ((result==len) ? result : 0);
+ } while(c == 16);
+
+ return ((result==len) ? result : 0);
}
@@ -127,30 +127,30 @@ int inline icompare(char* str1, char* str2, int len)
inline int compare(char* str1, char* str2, int len)
{
- char* s1 = str1;
- char* s2 = str2;
- int i = 0;
-
- while (i < len && *s1++ == *s2++)
- {
- i++;
+ char* s1 = str1;
+ char* s2 = str2;
+ int i = 0;
+
+ while (i < len && *s1++ == *s2++)
+ {
+ i++;
}
- return ((i==len) ? i : 0);
+ return ((i==len) ? i : 0);
}
inline int icompare(char* str1, char* str2, int len)
{
- char* s1 = str1;
- char* s2 = str2;
- int i = 0;
-
- while (i < len && lowercase[*s1++] == lowercase[*s2++])
- {
- i++;
+ char* s1 = str1;
+ char* s2 = str2;
+ int i = 0;
+
+ while (i < len && lowercase[*s1++] == lowercase[*s2++])
+ {
+ i++;
}
-
- return ((i==len) ? i : 0);
+
+ return ((i==len) ? i : 0);
}
#endif
@@ -160,106 +160,105 @@ inline int icompare(char* str1, char* str2, int len)
inline int wcompare(char* str1, char* str2, int len)
{
- char* s1 = str1;
- char* s2 = str2;
- int i = 0;
-
- while (i < len && *s1 == *s2)
- {
- s1++;
- s2+=2;
- i++;
- }
-
- return ((i==len) ? i * 2 : 0);
+ char* s1 = str1;
+ char* s2 = str2;
+ int i = 0;
+
+ while (i < len && *s1 == *s2)
+ {
+ s1++;
+ s2+=2;
+ i++;
+ }
+
+ return ((i==len) ? i * 2 : 0);
}
inline int wicompare(char* str1, char* str2, int len)
{
- char* s1 = str1;
- char* s2 = str2;
- int i = 0;
-
- while (i < len && lowercase[*s1] == lowercase[*s2])
- {
- s1++;
- s2+=2;
- i++;
- }
-
- return ((i==len) ? i * 2 : 0);
+ char* s1 = str1;
+ char* s2 = str2;
+ int i = 0;
+
+ while (i < len && lowercase[*s1] == lowercase[*s2])
+ {
+ s1++;
+ s2+=2;
+ i++;
+ }
+
+ return ((i==len) ? i * 2 : 0);
}
-#define MIN(x,y) ((x<y)?(x):(y))
int hex_match(unsigned char* buffer, size_t buffer_size, unsigned char* pattern, int pattern_length, unsigned char* mask)
{
- size_t b,p,m;
- unsigned char distance;
- unsigned char delta;
+ size_t b,p,m;
+ unsigned char distance;
+ unsigned char delta;
int match;
int match_length;
int longest_match;
- int matches;
+ int matches;
int i, tmp, tmp_b;
-
- b = 0;
- p = 0;
- m = 0;
-
- matches = 0;
-
- while (b < (size_t) buffer_size && p < (size_t) pattern_length)
- {
- if (mask[m] == MASK_EXACT_SKIP)
- {
- m++;
- distance = mask[m++];
- b += distance;
- matches += distance;
- }
- else if (mask[m] == MASK_RANGE_SKIP)
- {
- m++;
- distance = mask[m++];
- delta = mask[m++] - distance;
- b += distance;
- matches += distance;
-
+
+ b = 0;
+ p = 0;
+ m = 0;
+
+ matches = 0;
+
+ while (b < (size_t) buffer_size && p < (size_t) pattern_length)
+ {
+ if (mask[m] == MASK_EXACT_SKIP)
+ {
+ m++;
+ distance = mask[m++];
+ b += distance;
+ matches += distance;
+ }
+ else if (mask[m] == MASK_RANGE_SKIP)
+ {
+ m++;
+ distance = mask[m++];
+ delta = mask[m++] - distance;
+ b += distance;
+ matches += distance;
+
i = 0;
while (i <= delta && b + i < buffer_size)
{
if ((buffer[b + i] & mask[m]) == pattern[p] || mask[m] == MASK_OR)
{
- tmp = hex_match(buffer + b + i, buffer_size - b - i, pattern + p, pattern_length - p, mask + m);
- }
- else
- {
+ tmp = hex_match(buffer + b + i, buffer_size - b - i, pattern + p, pattern_length - p, mask + m);
+ }
+ else
+ {
tmp = 0;
- }
-
- if (tmp > 0)
- return b + i + tmp;
-
+ }
+
+ if (tmp > 0)
+ return b + i + tmp;
+
i++;
}
-
- break;
- }
- else if (mask[m] == MASK_OR)
- {
+
+ break;
+ }
+ else if (mask[m] == MASK_OR)
+ {
longest_match = 0;
-
- while (mask[m] != MASK_OR_END)
- {
+
+ while (mask[m] != MASK_OR_END)
+ {
tmp_b = b;
match = TRUE;
match_length = 0;
m++;
-
- while (mask[m] != MASK_OR && mask[m] != MASK_OR_END)
+
+ while (mask[m] != MASK_OR && mask[m] != MASK_OR_END)
{
if ((buffer[tmp_b] & mask[m]) != pattern[p])
{
@@ -275,17 +274,17 @@ int hex_match(unsigned char* buffer, size_t buffer_size, unsigned char* pattern,
m++;
p++;
}
-
- if (match && match_length > longest_match)
- {
+
+ if (match && match_length > longest_match)
+ {
longest_match = match_length;
- }
- }
-
+ }
+ }
+
m++;
-
- if (longest_match > 0)
- {
+
+ if (longest_match > 0)
+ {
b += longest_match;
matches += longest_match;
}
@@ -295,54 +294,54 @@ int hex_match(unsigned char* buffer, size_t buffer_size, unsigned char* pattern,
break;
}
- }
- else if ((buffer[b] & mask[m]) == pattern[p])
- {
- b++;
- m++;
- p++;
- matches++;
- }
- else /* do not match */
- {
- matches = 0;
- break;
- }
- }
-
- if (p < (size_t) pattern_length) /* did not reach the end of pattern because buffer was too small */
- {
- matches = 0;
- }
-
- return matches;
+ }
+ else if ((buffer[b] & mask[m]) == pattern[p])
+ {
+ b++;
+ m++;
+ p++;
+ matches++;
+ }
+ else /* do not match */
+ {
+ matches = 0;
+ break;
+ }
+ }
+
+ if (p < (size_t) pattern_length) /* did not reach the end of pattern because buffer was too small */
+ {
+ matches = 0;
+ }
+
+ return matches;
}
int regexp_match(unsigned char* buffer, size_t buffer_size, unsigned char* pattern, int pattern_length, REGEXP re, int file_beginning)
{
- int result = 0;
-
- // if we are not at the beginning of the file, and
- // the pattern begins with ^, the string doesn't match
- if (file_beginning && pattern[0] == '^')
- {
- return 0;
- }
+ int result = 0;
+
+ // if we are not at the beginning of the file, and
+ // the pattern begins with ^, the string doesn't match
+ if (file_beginning && pattern[0] == '^')
+ {
+ return 0;
+ }
result = regex_exec(&re, TRUE, (char *)buffer, buffer_size);
if (result >= 0)
return result;
- else
- return 0;
+ else
+ return 0;
}
int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
{
- RULE* rule;
- STRING* string;
- STRING_LIST_ENTRY* entry;
-
+ RULE* rule;
+ STRING* string;
+ STRING_LIST_ENTRY* entry;
+
unsigned char first[256];
unsigned char second[2];
@@ -350,7 +349,7 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
unsigned char s;
int fcount;
- int scount;
+ int scount;
int i, j;
@@ -388,26 +387,25 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
isregexescapable['$'] = 1;
isregexescapable['|'] = 1;
isregexescapable['\\'] = 1;
-
- rule = rule_list->head;
-
- while (rule != NULL)
- {
- string = rule->string_list_head;
-
- while (string != NULL)
- {
+
+ rule = rule_list->head;
+
+ while (rule != NULL)
+ {
+ string = rule->string_list_head;
+
+ while (string != NULL)
+ {
fcount = 0;
scount = 0;
f = 0;
s = 0;
-
-
+
if (string->flags & STRING_FLAGS_REGEXP)
- {
+ {
int pos = 0;
- if (string->string[0] == '^')
+ if (string->string[0] == '^')
{
pos++;
}
@@ -455,27 +453,27 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
}
// If f is set then it can be used in hashtable
- if (f)
- {
- first[fcount++] = f;
-
- if (string->flags & STRING_FLAGS_NO_CASE)
+ if (f)
+ {
+ first[fcount++] = f;
+
+ if (string->flags & STRING_FLAGS_NO_CASE)
first[fcount++] = altercase[f];
-
- if (s)
- {
- second[scount++] = s;
-
- if (string->flags & STRING_FLAGS_NO_CASE)
+
+ if (s)
+ {
+ second[scount++] = s;
+
+ if (string->flags & STRING_FLAGS_NO_CASE)
second[scount++] = altercase[s];
- }
- }
-
- if (fcount == 0)
- {
+ }
+ }
+
+ if (fcount == 0)
+ {
fcount += regex_get_first_bytes(&(string->re), first);
- }
-
+ }
+
}
else if (string->flags & STRING_FLAGS_HEXADECIMAL)
{
@@ -488,12 +486,16 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
else
{
first[fcount++] = string->string[0];
- second[scount++] = string->string[1];
+
+ if (string->length > 1)
+ second[scount++] = string->string[1];
if (string->flags & STRING_FLAGS_NO_CASE)
{
first[fcount++] = altercase[string->string[0]];
- second[scount++] = altercase[string->string[1]];
+
+ if (string->length > 1)
+ second[scount++] = altercase[string->string[1]];
}
}
@@ -503,12 +505,12 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
{
entry = (STRING_LIST_ENTRY*) yr_malloc(sizeof(STRING_LIST_ENTRY));
- if (entry == NULL)
+ if (entry == NULL)
return ERROR_INSUFICIENT_MEMORY;
entry->next = hash_table->hashed_strings_2b[first[i]][second[j]];
- entry->string = string;
- hash_table->hashed_strings_2b[first[i]][second[j]] = entry;
+ entry->string = string;
+ hash_table->hashed_strings_2b[first[i]][second[j]] = entry;
}
@@ -516,12 +518,12 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
{
entry = (STRING_LIST_ENTRY*) yr_malloc(sizeof(STRING_LIST_ENTRY));
- if (entry == NULL)
- return ERROR_INSUFICIENT_MEMORY;
+ if (entry == NULL)
+ return ERROR_INSUFICIENT_MEMORY;
- entry->next = hash_table->hashed_strings_1b[first[i]];
- entry->string = string;
- hash_table->hashed_strings_1b[first[i]] = entry;
+ entry->next = hash_table->hashed_strings_1b[first[i]];
+ entry->string = string;
+ hash_table->hashed_strings_1b[first[i]] = entry;
}
}
@@ -529,7 +531,7 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
{
entry = (STRING_LIST_ENTRY*) yr_malloc(sizeof(STRING_LIST_ENTRY));
- if (entry == NULL)
+ if (entry == NULL)
return ERROR_INSUFICIENT_MEMORY;
entry->next = hash_table->non_hashed_strings;
@@ -537,133 +539,133 @@ int populate_hash_table(HASH_TABLE* hash_table, RULE_LIST* rule_list)
hash_table->non_hashed_strings = entry;
}
- string = string->next;
- }
-
- rule = rule->next;
- }
-
+ string = string->next;
+ }
+
+ rule = rule->next;
+ }
+
hash_table->populated = TRUE;
-
- return ERROR_SUCCESS;
+
+ return ERROR_SUCCESS;
}
void clear_hash_table(HASH_TABLE* hash_table)
{
- int i,j;
-
- STRING_LIST_ENTRY* next_entry;
- STRING_LIST_ENTRY* entry;
-
- for (i = 0; i < 256; i++)
- {
- entry = hash_table->hashed_strings_1b[i];
-
- while (entry != NULL)
- {
- next_entry = entry->next;
- yr_free(entry);
- entry = next_entry;
- }
-
- hash_table->hashed_strings_1b[i] = NULL;
-
- for (j = 0; j < 256; j++)
- {
- entry = hash_table->hashed_strings_2b[i][j];
-
- while (entry != NULL)
- {
- next_entry = entry->next;
- yr_free(entry);
- entry = next_entry;
- }
-
- hash_table->hashed_strings_2b[i][j] = NULL;
- }
- }
-
+ int i,j;
+
+ STRING_LIST_ENTRY* next_entry;
+ STRING_LIST_ENTRY* entry;
+
+ for (i = 0; i < 256; i++)
+ {
+ entry = hash_table->hashed_strings_1b[i];
+
+ while (entry != NULL)
+ {
+ next_entry = entry->next;
+ yr_free(entry);
+ entry = next_entry;
+ }
+
+ hash_table->hashed_strings_1b[i] = NULL;
+
+ for (j = 0; j < 256; j++)
+ {
+ entry = hash_table->hashed_strings_2b[i][j];
+
+ while (entry != NULL)
+ {
+ next_entry = entry->next;
+ yr_free(entry);
+ entry = next_entry;
+ }
+
+ hash_table->hashed_strings_2b[i][j] = NULL;
+ }
+ }
+
entry = hash_table->non_hashed_strings;
while (entry != NULL)
- {
- next_entry = entry->next;
- yr_free(entry);
- entry = next_entry;
- }
-
+ {
+ next_entry = entry->next;
+ yr_free(entry);
+ entry = next_entry;
+ }
+
hash_table->non_hashed_strings = NULL;
}
void clear_marks(RULE_LIST* rule_list)
{
- RULE* rule;
- STRING* string;
- MATCH* match;
- MATCH* next_match;
-
- rule = rule_list->head;
-
- while (rule != NULL)
- {
- rule->flags &= ~RULE_FLAGS_MATCH;
- string = rule->string_list_head;
-
- while (string != NULL)
- {
- string->flags &= ~STRING_FLAGS_FOUND; /* clear found mark */
-
- match = string->matches_head;
-
- while (match != NULL)
- {
- next_match = match->next;
- yr_free(match);
- match = next_match;
- }
-
- string->matches_head = NULL;
+ RULE* rule;
+ STRING* string;
+ MATCH* match;
+ MATCH* next_match;
+
+ rule = rule_list->head;
+
+ while (rule != NULL)
+ {
+ rule->flags &= ~RULE_FLAGS_MATCH;
+ string = rule->string_list_head;
+
+ while (string != NULL)
+ {
+ string->flags &= ~STRING_FLAGS_FOUND; /* clear found mark */
+
+ match = string->matches_head;
+
+ while (match != NULL)
+ {
+ next_match = match->next;
+ yr_free(match);
+ match = next_match;
+ }
+
+ string->matches_head = NULL;
string->matches_tail = NULL;
- string = string->next;
- }
-
- rule = rule->next;
- }
+ string = string->next;
+ }
+
+ rule = rule->next;
+ }
}
inline int string_match(unsigned char* buffer, size_t buffer_size, STRING* string, int flags, int negative_size)
{
- int match;
- int i, len;
- int is_wide_char;
-
- unsigned char tmp_buffer[512];
- unsigned char* tmp;
-
- if (IS_HEX(string))
- {
- return hex_match(buffer, buffer_size, string->string, string->length, string->mask);
- }
- else if (IS_REGEXP(string))
- {
- if (IS_WIDE(string))
- {
- i = 0;
-
- while( i < buffer_size - 1 &&
- buffer[i] >= 32 && // buffer[i] is a ...
- buffer[i] <= 126 && // ... printable character
- buffer[i + 1] == 0)
- {
- i += 2;
- }
-
- len = i/2;
-
- if (len > sizeof(tmp_buffer))
- {
- tmp = yr_malloc(len);
+ int match;
+ int i, len;
+ int is_wide_char;
+
+ unsigned char tmp_buffer[512];
+ unsigned char* tmp;
+
+ if (IS_HEX(string))
+ {
+ return hex_match(buffer, buffer_size, string->string, string->length, string->mask);
+ }
+ else if (IS_REGEXP(string))
+ {
+ if (IS_WIDE(string))
+ {
+ i = 0;
+
+ while( i < buffer_size - 1 &&
+ buffer[i] >= 32 && // buffer[i] is a ...
+ buffer[i] <= 126 && // ... printable character
+ buffer[i + 1] == 0)
+ {
+ i += 2;
+ }
+
+ len = i/2;
+
+ if (len > sizeof(tmp_buffer))
+ {
+ tmp = yr_malloc(len);
}
else
{
@@ -671,97 +673,97 @@ inline int string_match(unsigned char* buffer, size_t buffer_size, STRING* strin
}
i = 0;
-
- if (tmp != NULL)
- {
- while(i < len)
- {
- tmp[i] = buffer[i*2];
- i++;
- }
-
- match = regexp_match(tmp, len, string->string, string->length, string->re, (negative_size > 2));
-
- if (len > sizeof(tmp_buffer))
- {
- yr_free(tmp);
- }
-
- return match * 2;
- }
-
- }
- else
- {
- return regexp_match(buffer, buffer_size, string->string, string->length, string->re, negative_size);
- }
- }
-
- if ((flags & STRING_FLAGS_WIDE) && IS_WIDE(string) && string->length * 2 <= buffer_size)
- {
- if(IS_NO_CASE(string))
- {
- match = wicompare((char*) string->string, (char*) buffer, string->length);
- }
- else
- {
- match = wcompare((char*) string->string, (char*) buffer, string->length);
- }
-
- if (match > 0 && IS_FULL_WORD(string))
- {
- if (negative_size >= 2)
- {
- is_wide_char = (buffer[-1] == 0 && isalphanum[(char) (buffer[-2])]);
-
- if (is_wide_char)
- {
- match = 0;
- }
- }
-
- if (string->length * 2 < buffer_size - 1)
- {
- is_wide_char = (isalphanum[(char) (buffer[string->length * 2])] && buffer[string->length * 2 + 1] == 0);
-
- if (is_wide_char)
- {
- match = 0;
- }
- }
- }
-
- if (match > 0)
+
+ if (tmp != NULL)
+ {
+ while(i < len)
+ {
+ tmp[i] = buffer[i*2];
+ i++;
+ }
+
+ match = regexp_match(tmp, len, string->string, string->length, string->re, (negative_size > 2));
+
+ if (len > sizeof(tmp_buffer))
+ {
+ yr_free(tmp);
+ }
+
+ return match * 2;
+ }
+
+ }
+ else
+ {
+ return regexp_match(buffer, buffer_size, string->string, string->length, string->re, negative_size);
+ }
+ }
+
+ if ((flags & STRING_FLAGS_WIDE) && IS_WIDE(string) && string->length * 2 <= buffer_size)
+ {
+ if(IS_NO_CASE(string))
+ {
+ match = wicompare((char*) string->string, (char*) buffer, string->length);
+ }
+ else
+ {
+ match = wcompare((char*) string->string, (char*) buffer, string->length);
+ }
+
+ if (match > 0 && IS_FULL_WORD(string))
+ {
+ if (negative_size >= 2)
+ {
+ is_wide_char = (buffer[-1] == 0 && isalphanum[(char) (buffer[-2])]);
+
+ if (is_wide_char)
+ {
+ match = 0;
+ }
+ }
+
+ if (string->length * 2 < buffer_size - 1)
+ {
+ is_wide_char = (isalphanum[(char) (buffer[string->length * 2])] && buffer[string->length * 2 + 1] == 0);
+
+ if (is_wide_char)
+ {
+ match = 0;
+ }
+ }
+ }
+
+ if (match > 0)
return match;
- }
-
- if ((flags & STRING_FLAGS_ASCII) && IS_ASCII(string) && string->length <= buffer_size)
- {
- if(IS_NO_CASE(string))
- {
- match = icompare((char*) string->string, (char*) buffer, string->length);
- }
- else
- {
- match = compare((char*) string->string, (char*) buffer, string->length);
- }
-
- if (match > 0 && IS_FULL_WORD(string))
- {
- if (negative_size >= 1 && isalphanum[(char) (buffer[-1])])
- {
- match = 0;
- }
- else if (string->length < buffer_size && isalphanum[(char) (buffer[string->length])])
- {
- match = 0;
- }
- }
-
- return match;
- }
-
- return 0;
+ }
+
+ if ((flags & STRING_FLAGS_ASCII) && IS_ASCII(string) && string->length <= buffer_size)
+ {
+ if(IS_NO_CASE(string))
+ {
+ match = icompare((char*) string->string, (char*) buffer, string->length);
+ }
+ else
+ {
+ match = compare((char*) string->string, (char*) buffer, string->length);
+ }
+
+ if (match > 0 && IS_FULL_WORD(string))
+ {
+ if (negative_size >= 1 && isalphanum[(char) (buffer[-1])])
+ {
+ match = 0;
+ }
+ else if (string->length < buffer_size && isalphanum[(char) (buffer[string->length])])
+ {
+ match = 0;
+ }
+ }
+
+ return match;
+ }
+
+ return 0;
}
@@ -772,85 +774,85 @@ inline int find_matches_for_strings( STRING_LIST_ENTRY* first_string,
int flags,
int negative_size)
{
- int len;
-
- STRING* string;
- MATCH* match;
+ int len;
+
+ STRING* string;
+ MATCH* match;
STRING_LIST_ENTRY* entry = first_string;
- while (entry != NULL)
- {
- string = entry->string;
- entry = entry->next;
-
- if ((string->flags & STRING_FLAGS_FOUND) && (string->flags & STRING_FLAGS_FAST_MATCH))
- {
- continue;
- }
-
- if ( (string->flags & flags) && (len = string_match(buffer, buffer_size, string, flags, negative_size)))
- {
- /*
- If this string already matched we must check that this match is not
- overlapping a previous one. This can occur for example if we search
- for the string 'aa' and the file contains 'aaaaaa'.
- */
-
- if ((string->matches_tail == NULL) ||
- (string->matches_tail->offset + string->matches_tail->length <= current_offset))
- {
- string->flags |= STRING_FLAGS_FOUND;
- match = (MATCH*) yr_malloc(sizeof(MATCH));
- match->data = (unsigned char*) yr_malloc(len);
-
- if (match != NULL && match->data != NULL)
- {
- match->offset = current_offset;
- match->length = len;
- match->next = NULL;
+ while (entry != NULL)
+ {
+ string = entry->string;
+ entry = entry->next;
+
+ if ((string->flags & STRING_FLAGS_FOUND) && (string->flags & STRING_FLAGS_FAST_MATCH))
+ {
+ continue;
+ }
+
+ if ( (string->flags & flags) && (len = string_match(buffer, buffer_size, string, flags, negative_size)))
+ {
+ /*
+ If this string already matched we must check that this match is not
+ overlapping a previous one. This can occur for example if we search
+ for the string 'aa' and the file contains 'aaaaaa'.
+ */
+
+ if ((string->matches_tail == NULL) ||
+ (string->matches_tail->offset + string->matches_tail->length <= current_offset))
+ {
+ string->flags |= STRING_FLAGS_FOUND;
+ match = (MATCH*) yr_malloc(sizeof(MATCH));
+ match->data = (unsigned char*) yr_malloc(len);
+
+ if (match != NULL && match->data != NULL)
+ {
+ match->offset = current_offset;
+ match->length = len;
+ match->next = NULL;
memcpy(match->data, buffer, len);
-
- if (string->matches_head == NULL)
- {
+
+ if (string->matches_head == NULL)
+ {
string->matches_head = match;
- }
-
- if (string->matches_tail != NULL)
- {
+ }
+
+ if (string->matches_tail != NULL)
+ {
string->matches_tail->next = match;
- }
-
- string->matches_tail = match;
-
- }
- else
- {
+ }
+
+ string->matches_tail = match;
+
+ }
+ else
+ {
if (match != NULL)
yr_free(match);
-
- return ERROR_INSUFICIENT_MEMORY;
- }
- }
- }
- }
-
+
+ return ERROR_INSUFICIENT_MEMORY;
+ }
+ }
+ }
+ }
+
return ERROR_SUCCESS;
}
-int find_matches( unsigned char first_char,
- unsigned char second_char,
- unsigned char* buffer,
- size_t buffer_size,
- size_t current_offset,
- int flags,
- int negative_size,
- YARA_CONTEXT* context)
+int find_matches( unsigned char first_char,
+ unsigned char second_char,
+ unsigned char* buffer,
+ size_t buffer_size,
+ size_t current_offset,
+ int flags,
+ int negative_size,
+ YARA_CONTEXT* context)
{
-
+
int result = ERROR_SUCCESS;
-
+
if (context->hash_table.hashed_strings_2b[first_char][second_char] != NULL)
{
result = find_matches_for_strings( context->hash_table.hashed_strings_2b[first_char][second_char],
@@ -881,6 +883,6 @@ int find_matches( unsigned char first_char,
flags,
negative_size);
}
-
- return result;
+
+ return result;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list