Fix inconsistency with --fast-scan option.

plusvic · plusvic · commit 4de3d574bae5 · 2023-08-23T11:00:11.000+02:00
Some rules were not matching when the `--fast-scan` flag was used, but they should. It happened with rules that contained statements like `any of  &lt;string_set&gt; in &lt;range&gt;` or `any of &lt;string_set&gt; at &lt;offset&gt;`. With this type of expressions, the strings included in `&lt;string_set&gt;` can't be flagged with `STRING_FLAGS_SINGLE_MATCH` because we need to find all the occurrences of those strings. Finding only the first match is not enough because the condition can be true for some other occurrence of the string, but not with the first one..

With this change the flag `STRING_FLAGS_SINGLE_MATCH` is cleared for every string included in a string set. This is a radical way of fixing the issue, as the flag is cleared in other cases where this is not necessary, like in `any of &lt;string_set&gt;`, where finding the first occurrence of each string in the set is enough. But I don't want to add more complexity and correctness should prevail over performance.
diff --git a/libyara/parser.c b/libyara/parser.c
@@ -216,6 +216,7 @@ int yr_parser_emit_pushes_for_strings(
 
         string->flags |= STRING_FLAGS_REFERENCED;
         string->flags &= ~STRING_FLAGS_FIXED_OFFSET;
+        string->flags &= ~STRING_FLAGS_SINGLE_MATCH;
         matching++;
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,7 @@ int yr_parser_emit_pushes_for_strings(`
`216`	`216`
`217`	`217`	`string->flags \|= STRING_FLAGS_REFERENCED;`
`218`	`218`	`string->flags &= ~STRING_FLAGS_FIXED_OFFSET;`
	`219`	`+ string->flags &= ~STRING_FLAGS_SINGLE_MATCH;`
`219`	`220`	`matching++;`
`220`	`221`	`}`
`221`	`222`	`}`