YARA reports incorrect errors in rules when a single rule is badly formatted

[tlansec]

Hi,

I've noticed that in YARA 4.0 an error early on in a rules file means erroneous errors are reported later in the rules file.

Here's an example rules file to illustrate the issue:

rule bad_condition
{
strings:
	$foo = "foo"
	$bar = "bar"
condition:
	all of them 
	filesize < 30KB
}

rule perfectlygood_rule
{
strings:
	$foo = "foo"
	$bar = "bar"
condition:
	$foo and 
        $bar and
	filesize < 30KB
}

Running this with YARA 4.0 yields:

tmp.yar(8): error in rule "bad_condition": syntax error, unexpected <filesize>, expecting '}'
tmp.yar(19): error in rule "bad_condition": unreferenced string "$foo"

Running with 3.11 yields the correct error message:

tmp.yar(8): error: syntax error, unexpected <filesize>, expecting '}'

In large rules files this problem is exacerbated.

Hope this is enough information to triage.

Cheers,
Tom

[r0ny123]

I think you have missed the "and" in the bad_condition rule.

[tlansec]

Yes, that is deliberate to illustrate the issue.

YARA 4.0 reports a bug in the second (non bugged) rule, when the first rule contains a bug.

YARA 3.11 did not do this.

[r0ny123]

Ah, just checked. nice catch!

[wxsBSD]

We ran into this at work, I’m hoping to debug it this week.

[plusvic]

Fixed in 02e7c97

[wxsBSD]

Thank you for the fix @plusvic - I woke up this morning expecting to dig into this and am happy I don't have to. :)