VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.26k stars 1.44k forks source link

Return YR_UNDEFINED when offset is not valid #1881

Closed TommYDeeee closed 1 year ago

TommYDeeee commented 1 year ago

Right now pe.export_details[].offset is set to -1 whenever invalid offset is found. However in YARA invalid values are set to UNDEFINED since operations on UNDEFINED values are always false so you do not have to be that defensive while writing YARA rules as those values are left out. Therefore I suggest to change this value to UNDEFINED also to preserve consistency. I have also submitted simple regression test with sample to check for invalid offset values and their return value to match YR_UNDEFINED instead of -1 as previously.