There is a bug introduced in 1c309a82499fc64fc490fcefb5da18abbfde7f6d: the size of bitmask to allocate is calculated with undefined new_rules->num_rules value instead of passed summary->num_rules, so the YR_BITMASK_SIZE() is evaluated as random value, sometimes less then needed.
1ndahous3
commented
1 year ago
There is a bug introduced in 1c309a82499fc64fc490fcefb5da18abbfde7f6d: the size of bitmask to allocate is calculated with undefined
new_rules->num_rulesvalue instead of passedsummary->num_rules, so theYR_BITMASK_SIZE()is evaluated as random value, sometimes less then needed.In my case
new_rules->num_rules == 0soYR_BITMASK_SIZE(new_rules->num_rules) == 1and I get 4 (1 * sizeof(YR_BITMASK)) bytes allocated for bitmask. After that I get heap corruption because of writing of first bit of non-allocated 5th byte for 128 rule (i == 128) here: https://github.com/VirusTotal/yara/blob/1c309a82499fc64fc490fcefb5da18abbfde7f6d/libyara/rules.c#L378-L384