There is a bug introduced in 1c309a82499fc64fc490fcefb5da18abbfde7f6d: the size of bitmask to allocate is calculated with undefined new_rules->num_rules value instead of passed summary->num_rules, so the YR_BITMASK_SIZE() is evaluated as random value, sometimes less then needed.
There is a bug introduced in 1c309a82499fc64fc490fcefb5da18abbfde7f6d: the size of bitmask to allocate is calculated with undefined
new_rules->num_rules
value instead of passedsummary->num_rules
, so theYR_BITMASK_SIZE()
is evaluated as random value, sometimes less then needed.In my case
new_rules->num_rules == 0
soYR_BITMASK_SIZE(new_rules->num_rules) == 1
and I get 4 (1 * sizeof(YR_BITMASK)
) bytes allocated for bitmask. After that I get heap corruption because of writing of first bit of non-allocated 5th byte for 128 rule (i == 128
) here: https://github.com/VirusTotal/yara/blob/1c309a82499fc64fc490fcefb5da18abbfde7f6d/libyara/rules.c#L378-L384