VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.26k stars 1.44k forks source link

Ascii/Wide matching bug on some regexes #1933

Closed vthib closed 1 year ago

vthib commented 1 year ago

Describe the bug

With some regexes marked as "ascii wide", no matches are reported on inputs that should match.

To Reproduce

Here are some tests cases showing the issue:

// Works
assert_true_rule_blob(
    "rule test { strings: $a = /a.{1}c/ ascii wide condition: $a }",
    "a\0b\0c\0");

// Fails
assert_true_rule_blob(
    "rule test { strings: $a = /a.{1}1/ ascii wide condition: $a }",
    "a\0b\01\0");

Expected behavior

The second test case should match.

Additional context

The regex might seem a bit far-fetched, I have actually stumbled upon the issue with the regex a.{5}i, and just reduced for the reproducibility.

The bug does not exhibit when using "a.i". From what I can understand from some debugging:

So from what i can tell, the issue can happen when the ascii forward matcher is a prefix of the wide forward matcher. I should thus be possible to trigger with raw strings or hex strings, or even with some clever xor transformation, however I haven't tried to come up with more "realistic" strings that could trigger this bug.

plusvic commented 1 year ago

Fixed in 95dafbdb3c59497771fc6991890d53e962a16eaa

vthib commented 1 year ago

Thanks for the fix! Do you have a released planned in the near future? I would love to get one to get the fix for this issue and #1928

vthib commented 1 year ago

ping @plusvic, would it be possible to make a new release given the numerous fixes since the last one? That would be great :)

plusvic commented 1 year ago

Sorry for the delay @vthib, I'm starting to work in a 4.4.0 release that I hope to release soon.