[Forensics-changes] [yara] 401/415: Put a cap on the number of matches per string and optimise the count (#) operator
Hilko Bengen
bengen at moszumanska.debian.org
Thu Apr 3 05:43:28 UTC 2014
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to branch debian
in repository yara.
commit 3df5ee2e9004aafc13682bd27c16de9903b6c793
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Thu Feb 13 16:06:02 2014 +0100
Put a cap on the number of matches per string and optimise the count (#) operator
---
libyara/arena.c | 2 +-
libyara/exec.c | 9 +--------
libyara/rules.c | 34 ++++++++++++++++++++--------------
libyara/yara.h | 26 +++++++++++++++-----------
4 files changed, 37 insertions(+), 34 deletions(-)
diff --git a/libyara/arena.c b/libyara/arena.c
index a57f8bf..9ceaf37 100644
--- a/libyara/arena.c
+++ b/libyara/arena.c
@@ -37,7 +37,7 @@ from files.
#include "yara.h"
-#define ARENA_FILE_VERSION 2
+#define ARENA_FILE_VERSION 3
#pragma pack(push)
diff --git a/libyara/exec.c b/libyara/exec.c
index 57e0852..f032dd7 100644
--- a/libyara/exec.c
+++ b/libyara/exec.c
@@ -410,14 +410,7 @@ int yr_execute_code(
case SCOUNT:
pop(r1);
string = UINT64_TO_PTR(YR_STRING*, r1);
- match = string->matches[tidx].head;
- found = 0;
- while (match != NULL)
- {
- found++;
- match = match->next;
- }
- push(found);
+ push(string->matches[tidx].count);
break;
case SOFFSET:
diff --git a/libyara/rules.c b/libyara/rules.c
index 155ab75..3e850cb 100644
--- a/libyara/rules.c
+++ b/libyara/rules.c
@@ -339,18 +339,21 @@ void _yr_scan_update_match_chain_length(
}
-void _yr_scan_add_match_to_list(
+int _yr_scan_add_match_to_list(
YR_MATCH* match,
YR_MATCHES* matches_list)
{
YR_MATCH* insertion_point = matches_list->tail;
+ if (matches_list->count == MAX_STRING_MATCHES)
+ return ERROR_TOO_MANY_MATCHES;
+
while (insertion_point != NULL)
{
if (match->offset == insertion_point->offset)
{
insertion_point->length = match->length;
- return;
+ return ERROR_SUCCESS;
}
if (match->offset > insertion_point->offset)
@@ -372,10 +375,14 @@ void _yr_scan_add_match_to_list(
matches_list->head = match;
}
+ matches_list->count++;
+
if (match->next != NULL)
match->next->prev = match;
else
matches_list->tail = match;
+
+ return ERROR_SUCCESS;
}
@@ -395,6 +402,7 @@ void _yr_scan_remove_match_from_list(
if (matches_list->tail == match)
matches_list->tail = match->prev;
+ matches_list->count--;
match->next = NULL;
match->prev = NULL;
}
@@ -418,7 +426,6 @@ int _yr_scan_verify_chained_string_match(
int32_t full_chain_length;
int add_match = FALSE;
- int result;
if (matching_string->chained_to == NULL)
{
@@ -504,8 +511,8 @@ int _yr_scan_verify_chained_string_match(
match->prev = NULL;
match->next = NULL;
- _yr_scan_add_match_to_list(
- match, &string->matches[tidx]);
+ FAIL_ON_ERROR(_yr_scan_add_match_to_list(
+ match, &string->matches[tidx]));
}
match = next_match;
@@ -513,13 +520,10 @@ int _yr_scan_verify_chained_string_match(
}
else
{
- result = yr_arena_allocate_memory(
+ FAIL_ON_ERROR(yr_arena_allocate_memory(
matches_arena,
sizeof(YR_MATCH),
- (void**) &new_match);
-
- if (result != ERROR_SUCCESS)
- return result;
+ (void**) &new_match));
new_match->offset = match_offset;
new_match->length = match_length;
@@ -527,9 +531,9 @@ int _yr_scan_verify_chained_string_match(
new_match->prev = NULL;
new_match->next = NULL;
- _yr_scan_add_match_to_list(
+ FAIL_ON_ERROR(_yr_scan_add_match_to_list(
new_match,
- &matching_string->unconfirmed_matches[tidx]);
+ &matching_string->unconfirmed_matches[tidx]));
}
}
@@ -621,9 +625,9 @@ int _yr_scan_match_callback(
new_match->prev = NULL;
new_match->next = NULL;
- _yr_scan_add_match_to_list(
+ FAIL_ON_ERROR(_yr_scan_add_match_to_list(
new_match,
- &string->matches[tidx]);
+ &string->matches[tidx]));
}
}
@@ -1001,8 +1005,10 @@ void _yr_rules_clean_matches(
while (!STRING_IS_NULL(string))
{
+ string->matches[tidx].count = 0;
string->matches[tidx].head = NULL;
string->matches[tidx].tail = NULL;
+ string->unconfirmed_matches[tidx].count = 0;
string->unconfirmed_matches[tidx].head = NULL;
string->unconfirmed_matches[tidx].tail = NULL;
string++;
diff --git a/libyara/yara.h b/libyara/yara.h
index 11925bc..9fa9cc4 100644
--- a/libyara/yara.h
+++ b/libyara/yara.h
@@ -86,21 +86,23 @@ typedef int32_t tidx_mask_t;
#define ERROR_TOO_MANY_SCAN_THREADS 27
#define ERROR_CALLBACK_ERROR 28
#define ERROR_INVALID_ARGUMENT 29
-#define ERROR_INTERNAL_FATAL_ERROR 30
+#define ERROR_TOO_MANY_MATCHES 30
+#define ERROR_INTERNAL_FATAL_ERROR 31
-#define CALLBACK_MSG_RULE_MATCHING 1
-#define CALLBACK_MSG_RULE_NOT_MATCHING 2
-#define CALLBACK_MSG_SCAN_FINISHED 3
+#define CALLBACK_MSG_RULE_MATCHING 1
+#define CALLBACK_MSG_RULE_NOT_MATCHING 2
+#define CALLBACK_MSG_SCAN_FINISHED 3
-#define CALLBACK_CONTINUE 0
-#define CALLBACK_ABORT 1
-#define CALLBACK_ERROR 2
+#define CALLBACK_CONTINUE 0
+#define CALLBACK_ABORT 1
+#define CALLBACK_ERROR 2
-#define MAX_ATOM_LENGTH 4
-#define LOOP_LOCAL_VARS 4
-#define MAX_LOOP_NESTING 4
-#define MAX_INCLUDE_DEPTH 16
+#define MAX_ATOM_LENGTH 4
+#define LOOP_LOCAL_VARS 4
+#define MAX_LOOP_NESTING 4
+#define MAX_INCLUDE_DEPTH 16
+#define MAX_STRING_MATCHES 5000
#define STRING_CHAINING_THRESHOLD 200
#define LEX_BUF_SIZE 1024
@@ -349,6 +351,8 @@ typedef struct _YR_META
typedef struct _YR_MATCHES
{
+ int32_t count;
+
DECLARE_REFERENCE(YR_MATCH*, head);
DECLARE_REFERENCE(YR_MATCH*, tail);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list