Fix bug in yr_re_fast_exec causing assertion in _yr_scan_match_callback

plusvic · plusvic · commit bcc631299c9e · 2023-06-12T11:24:48.000+02:00
When an arbitrary file is scanned with the rule below it triggers the assertion at https://github.com/VirusTotal/yara/blob/v4.3.1/libyara/scan.c#L670 ``` rule test { strings: $a = { 31[-][8-][-]30 } condition: $a } ```
diff --git a/libyara/re.c b/libyara/re.c
@@ -2291,10 +2291,11 @@ int yr_re_fast_exec(
         break;
 
       case RE_OPCODE_REPEAT_ANY_UNGREEDY:
-        if (bytes_matched >= max_bytes_matched)
+        repeat_any_args = (RE_REPEAT_ANY_ARGS*) (ip + 1);
+
+        if (bytes_matched + repeat_any_args->min >= max_bytes_matched)
           break;
 
-        repeat_any_args = (RE_REPEAT_ANY_ARGS*) (ip + 1);
         match = true;
 
         const uint8_t* next_opcode = ip + 1 + sizeof(RE_REPEAT_ANY_ARGS);
diff --git a/tests/test-rules.c b/tests/test-rules.c
@@ -1601,6 +1601,18 @@ static void test_hex_strings()
         condition: $a }",
       "123440004");
 
+  assert_true_rule(
+      "rule test { \
+        strings: $a = { 31[-][8-][-]30 } \
+        condition: $a }",
+      "1234567890");
+
+  assert_false_rule(
+      "rule test { \
+        strings: $a = { 31[-][9-][-]30 } \
+        condition: $a }",
+      "1234567890");
+
   assert_error(
       "rule test { \
         strings: $a = { 01 [0] 02 } \
