[Forensics-changes] [yara] 361/415: Avoid negative numbers in hex strings jumps and regexp repeat intervals
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:24 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit af438a9a1c624241ade511351bf1290a7ddea77a
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date: Wed Jan 15 20:37:01 2014 +0100
Avoid negative numbers in hex strings jumps and regexp repeat intervals
---
libyara/hex_grammar.c | 44 ++++++++++++++++++++++++++++++++++----------
libyara/hex_grammar.y | 24 ++++++++++++++++++++++++
libyara/re_lexer.c | 11 ++++++-----
libyara/re_lexer.l | 2 +-
4 files changed, 65 insertions(+), 16 deletions(-)
diff --git a/libyara/hex_grammar.c b/libyara/hex_grammar.c
index 4850d5d..5d13deb 100644
--- a/libyara/hex_grammar.c
+++ b/libyara/hex_grammar.c
@@ -462,7 +462,7 @@ static const yytype_int8 yyrhs[] =
static const yytype_uint16 yyrline[] =
{
0, 93, 93, 101, 105, 116, 121, 120, 129, 137,
- 164, 201, 226, 253, 257, 269, 277
+ 172, 217, 250, 277, 281, 293, 301
};
#endif
@@ -1471,6 +1471,14 @@ yyreduce:
{
RE_NODE* re_any;
+ if ((yyvsp[(1) - (1)].integer) < 0)
+ {
+ RE* re = yyget_extra(yyscanner);
+ re->error_code = ERROR_INVALID_HEX_STRING;
+ re->error_message = yr_strdup("invalid negative jump length");
+ YYABORT;
+ }
+
if (lex_env->inside_or && (yyvsp[(1) - (1)].integer) > STRING_CHAINING_THRESHOLD)
{
RE* re = yyget_extra(yyscanner);
@@ -1497,7 +1505,7 @@ yyreduce:
break;
case 10:
-#line 165 "hex_grammar.y"
+#line 173 "hex_grammar.y"
{
RE_NODE* re_any;
@@ -1515,6 +1523,14 @@ yyreduce:
YYABORT;
}
+ if ((yyvsp[(1) - (3)].integer) < 0 || (yyvsp[(3) - (3)].integer) < 0)
+ {
+ RE* re = yyget_extra(yyscanner);
+ re->error_code = ERROR_INVALID_HEX_STRING;
+ re->error_message = yr_strdup("invalid negative jump length");
+ YYABORT;
+ }
+
if ((yyvsp[(1) - (3)].integer) > (yyvsp[(3) - (3)].integer))
{
RE* re = yyget_extra(yyscanner);
@@ -1537,7 +1553,7 @@ yyreduce:
break;
case 11:
-#line 202 "hex_grammar.y"
+#line 218 "hex_grammar.y"
{
RE_NODE* re_any;
@@ -1551,6 +1567,14 @@ yyreduce:
YYABORT;
}
+ if ((yyvsp[(1) - (2)].integer) < 0)
+ {
+ RE* re = yyget_extra(yyscanner);
+ re->error_code = ERROR_INVALID_HEX_STRING;
+ re->error_message = yr_strdup("invalid negative jump length");
+ YYABORT;
+ }
+
re_any = yr_re_node_create(RE_NODE_ANY, NULL, NULL);
ERROR_IF(re_any == NULL, ERROR_INSUFICIENT_MEMORY);
@@ -1565,7 +1589,7 @@ yyreduce:
break;
case 12:
-#line 227 "hex_grammar.y"
+#line 251 "hex_grammar.y"
{
RE_NODE* re_any;
@@ -1592,14 +1616,14 @@ yyreduce:
break;
case 13:
-#line 254 "hex_grammar.y"
+#line 278 "hex_grammar.y"
{
(yyval.re_node) = (yyvsp[(1) - (1)].re_node);
}
break;
case 14:
-#line 258 "hex_grammar.y"
+#line 282 "hex_grammar.y"
{
mark_as_not_fast_hex_regexp();
@@ -1612,7 +1636,7 @@ yyreduce:
break;
case 15:
-#line 270 "hex_grammar.y"
+#line 294 "hex_grammar.y"
{
(yyval.re_node) = yr_re_node_create(RE_NODE_LITERAL, NULL, NULL);
@@ -1623,7 +1647,7 @@ yyreduce:
break;
case 16:
-#line 278 "hex_grammar.y"
+#line 302 "hex_grammar.y"
{
uint8_t mask = (yyvsp[(1) - (1)].integer) >> 8;
@@ -1647,7 +1671,7 @@ yyreduce:
/* Line 1267 of yacc.c. */
-#line 1651 "hex_grammar.c"
+#line 1675 "hex_grammar.c"
default: break;
}
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -1861,7 +1885,7 @@ yyreturn:
}
-#line 299 "hex_grammar.y"
+#line 323 "hex_grammar.y"
diff --git a/libyara/hex_grammar.y b/libyara/hex_grammar.y
index e98073f..636379c 100644
--- a/libyara/hex_grammar.y
+++ b/libyara/hex_grammar.y
@@ -138,6 +138,14 @@ range : _NUMBER_
{
RE_NODE* re_any;
+ if ($1 < 0)
+ {
+ RE* re = yyget_extra(yyscanner);
+ re->error_code = ERROR_INVALID_HEX_STRING;
+ re->error_message = yr_strdup("invalid negative jump length");
+ YYABORT;
+ }
+
if (lex_env->inside_or && $1 > STRING_CHAINING_THRESHOLD)
{
RE* re = yyget_extra(yyscanner);
@@ -179,6 +187,14 @@ range : _NUMBER_
YYABORT;
}
+ if ($1 < 0 || $3 < 0)
+ {
+ RE* re = yyget_extra(yyscanner);
+ re->error_code = ERROR_INVALID_HEX_STRING;
+ re->error_message = yr_strdup("invalid negative jump length");
+ YYABORT;
+ }
+
if ($1 > $3)
{
RE* re = yyget_extra(yyscanner);
@@ -212,6 +228,14 @@ range : _NUMBER_
YYABORT;
}
+ if ($1 < 0)
+ {
+ RE* re = yyget_extra(yyscanner);
+ re->error_code = ERROR_INVALID_HEX_STRING;
+ re->error_message = yr_strdup("invalid negative jump length");
+ YYABORT;
+ }
+
re_any = yr_re_node_create(RE_NODE_ANY, NULL, NULL);
ERROR_IF(re_any == NULL, ERROR_INSUFICIENT_MEMORY);
diff --git a/libyara/re_lexer.c b/libyara/re_lexer.c
index 9d861cb..e10eab7 100644
--- a/libyara/re_lexer.c
+++ b/libyara/re_lexer.c
@@ -47,6 +47,7 @@ typedef int16_t flex_int16_t;
typedef uint16_t flex_uint16_t;
typedef int32_t flex_int32_t;
typedef uint32_t flex_uint32_t;
+typedef uint64_t flex_uint64_t;
#else
typedef signed char flex_int8_t;
typedef short int flex_int16_t;
@@ -357,7 +358,7 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
*/
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
- yyleng = (size_t) (yy_cp - yy_bp); \
+ yyleng = (yy_size_t) (yy_cp - yy_bp); \
yyg->yy_hold_char = *yy_cp; \
*yy_cp = '\0'; \
yyg->yy_c_buf_p = yy_cp;
@@ -521,7 +522,7 @@ uint8_t read_escaped_char(yyscan_t yyscanner);
#define YY_NO_UNISTD_H 1
-#line 525 "re_lexer.c"
+#line 526 "re_lexer.c"
#define INITIAL 0
#define char_class 1
@@ -758,7 +759,7 @@ YY_DECL
#line 61 "re_lexer.l"
-#line 762 "re_lexer.c"
+#line 763 "re_lexer.c"
yylval = yylval_param;
@@ -880,7 +881,7 @@ YY_RULE_SETUP
yyterminate();
}
- if (hi_bound < lo_bound)
+ if (hi_bound < lo_bound || hi_bound < 0 || lo_bound < 0)
{
yyerror(yyscanner, lex_env, "bad repeat interval");
yyterminate();
@@ -1234,7 +1235,7 @@ YY_RULE_SETUP
#line 376 "re_lexer.l"
ECHO;
YY_BREAK
-#line 1238 "re_lexer.c"
+#line 1239 "re_lexer.c"
case YY_END_OF_BUFFER:
{
diff --git a/libyara/re_lexer.l b/libyara/re_lexer.l
index 4f5867d..bc9c23e 100644
--- a/libyara/re_lexer.l
+++ b/libyara/re_lexer.l
@@ -82,7 +82,7 @@ hex_digit [0-9a-fA-F]
yyterminate();
}
- if (hi_bound < lo_bound)
+ if (hi_bound < lo_bound || hi_bound < 0 || lo_bound < 0)
{
yyerror(yyscanner, lex_env, "bad repeat interval");
yyterminate();
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list