[Forensics-changes] [yara] 227/415: Implement case-insensitive regular expressions
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:08 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 5f15a855142dcbe33a3a740cedae9f9c74465575
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Mon Nov 18 16:58:22 2013 +0000
Implement case-insensitive regular expressions
---
libyara/libyara.c | 10 ++++++++++
libyara/re.c | 21 +++++++++++++++++++--
libyara/rules.c | 3 +++
libyara/yara.h | 2 +-
4 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/libyara/libyara.c b/libyara/libyara.c
index 019b8fc..7627eb8 100644
--- a/libyara/libyara.c
+++ b/libyara/libyara.c
@@ -32,6 +32,7 @@ limitations under the License.
#endif
char lowercase[256];
+char altercase[256];
#ifdef WIN32
DWORD key;
@@ -52,7 +53,16 @@ void yr_initialize(void)
int i;
for (i = 0; i < 256; i++)
+ {
+ if (i >= 'a' && i <= 'z')
+ altercase[i] = i - 32;
+ else if (i >= 'A' && i <= 'Z')
+ altercase[i] = i + 32;
+ else
+ altercase[i] = i;
+
lowercase[i] = tolower(i);
+ }
yr_heap_alloc();
diff --git a/libyara/re.c b/libyara/re.c
index 17305c2..cb10034 100644
--- a/libyara/re.c
+++ b/libyara/re.c
@@ -1049,6 +1049,8 @@ int yr_re_exec(
RE_STACK* stack;
int idx;
+ int match;
+ char character;
int character_size;
int result = -1;
@@ -1111,7 +1113,11 @@ int yr_re_exec(
switch(*ip)
{
case RE_OPCODE_LITERAL:
- if (*current_input == *(ip + 1))
+ if (flags & RE_FLAGS_NO_CASE)
+ match = lowercase[*current_input] == lowercase[*(ip + 1)];
+ else
+ match = *current_input == *(ip + 1);
+ if (match)
_yr_re_add_fiber(next_fibers, storage, ip + 2, stack);
else
_yr_re_free_stack(stack, &storage->stack_pool);
@@ -1120,6 +1126,11 @@ int yr_re_exec(
case RE_OPCODE_MASKED_LITERAL:
value = *(int16_t*)(ip + 1) & 0xFF;
mask = *(int16_t*)(ip + 1) >> 8;
+
+ // We don't need to take into account the case-insensitive
+ // case because this opcode is only used with hex strings,
+ // which can't be case-insensitive.
+
if ((*current_input & mask) == value)
_yr_re_add_fiber(next_fibers, storage, ip + 3, stack);
else
@@ -1127,7 +1138,13 @@ int yr_re_exec(
break;
case RE_OPCODE_CLASS:
- if (CHAR_IN_CLASS(*current_input, ip + 1))
+ if (flags & RE_FLAGS_NO_CASE)
+ match = CHAR_IN_CLASS(*current_input, ip + 1) ||
+ CHAR_IN_CLASS(altercase[*current_input], ip + 1);
+ else
+ match = CHAR_IN_CLASS(*current_input, ip + 1);
+
+ if (match)
_yr_re_add_fiber(next_fibers, storage, ip + 33, stack);
else
_yr_re_free_stack(stack, &storage->stack_pool);
diff --git a/libyara/rules.c b/libyara/rules.c
index d11642b..aebba1c 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -282,6 +282,9 @@ int _yr_scan_verify_re_match(
if (STRING_IS_END_ANCHORED(ac_match->string))
flags |= RE_FLAGS_END_ANCHORED;
+ if (STRING_IS_NO_CASE(ac_match->string))
+ flags |= RE_FLAGS_NO_CASE;
+
if (STRING_IS_ASCII(ac_match->string))
{
forward_matches = yr_re_exec(
diff --git a/libyara/yara.h b/libyara/yara.h
index ada8645..ee976ea 100644
--- a/libyara/yara.h
+++ b/libyara/yara.h
@@ -558,7 +558,7 @@ typedef struct _YARA_RULES {
extern char lowercase[256];
-
+extern char altercase[256];
void yr_initialize(void);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list