The math module retrieves the first block of memory to do some validation on parameters. However, contrary to for example the hash module, the block value is not checked. This can lead, if for example scanning a process and having the process die during the scan, to a SIGSEGV/Null access violation, as the first block call will return NULL.
This bug manifests in surprising ways. Since yara runs by default evaluation of condition in a try catch block, this bug is actually caught by the try catch block, and a surprising "ERROR_COULD_NOT_MAP_FILE" error is then returned.
In addition, since the try catch bypasses the whole stack, this leads to a memory leak that can add up as more instances of this bug is triggered.
In addition, the magic module is also fixed (although it should not really trigger since the process memory flag is checked beforehand), and the doc is updated.
The math module retrieves the first block of memory to do some validation on parameters. However, contrary to for example the hash module, the block value is not checked. This can lead, if for example scanning a process and having the process die during the scan, to a SIGSEGV/Null access violation, as the first block call will return NULL.
This bug manifests in surprising ways. Since yara runs by default evaluation of condition in a try catch block, this bug is actually caught by the try catch block, and a surprising "ERROR_COULD_NOT_MAP_FILE" error is then returned.
In addition, since the try catch bypasses the whole stack, this leads to a memory leak that can add up as more instances of this bug is triggered.
In addition, the magic module is also fixed (although it should not really trigger since the process memory flag is checked beforehand), and the doc is updated.