Capture YARA compiled condition string and anchor in struct cli_ac_lsig.

libclamav/matcher.h

@@ -86,7 +86,7 @@ struct cli_ac_lsig {
     uint8_t type;
     union {
         char *logic;
-        void *other;
+        uint8_t *code_start;
     } u;
     const char *virname;
     struct cli_lsig_tdb tdb;

libclamav/readdb.c

@@ -3402,30 +3402,31 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
     /*** conditional verification step (ex. do we define too many strings versus used?)  ***/
     /*** additional string table population (ex. offsets), second translation table pass ***/
 
-    lsize = 3*ytable.tbl_cnt;
-    logic = cli_calloc(lsize, sizeof(char));
-    if (!logic) {
-        cli_errmsg("load_oneyara: cannot allocate memory for logic statement\n");
-        ytable_delete(&ytable);
-        return CL_EMEM;
-    }
-
-    if (rule->g_flags & RULE_ALL && rule->g_flags & RULE_THEM)
-        exp_op = "&";
-    else {
-        exp_op = "|";
-        if ((!(rule->g_flags & RULE_ANY && rule->g_flags & RULE_THEM) && ytable.tbl_cnt > 1) &&
-            !(rule->g_flags & RULE_EP && ytable.tbl_cnt == 1))
-            yara_complex++;
+    if (rule->g_flags & RULE_ALL ||  rule->g_flags & RULE_ANY) {
+        lsize = 3*ytable.tbl_cnt;
+        logic = cli_calloc(lsize, sizeof(char));
+        if (!logic) {
+            cli_errmsg("load_oneyara: cannot allocate memory for logic statement\n");
+            ytable_delete(&ytable);
+            return CL_EMEM;
+        }
+        
+        if (rule->g_flags & RULE_ALL && rule->g_flags & RULE_THEM)
+            exp_op = "&";
+        else {
+            exp_op = "|";
+            if ((!(rule->g_flags & RULE_ANY && rule->g_flags & RULE_THEM) && ytable.tbl_cnt > 1) &&
+                !(rule->g_flags & RULE_EP && ytable.tbl_cnt == 1))
+                yara_complex++;
+        }
+        
+        for (i=0; i<ytable.tbl_cnt; i++) {
+            size_t len=strlen(logic);
+            snprintf(logic+len, lsize-len, "%u%s", i, (i+1 == ytable.tbl_cnt) ? "" : exp_op);
+        }    
+        
+        /*** END CONDITIONAL HANDLING ***/
     }
-
-    for (i=0; i<ytable.tbl_cnt; i++) {
-        size_t len=strlen(logic);
-        snprintf(logic+len, lsize-len, "%u%s", i, (i+1 == ytable.tbl_cnt) ? "" : exp_op);
-    }    
-
-    /*** END CONDITIONAL HANDLING ***/
-
     /* TDB */
     if (rule->g_flags & RULE_EP && ytable.tbl_cnt == 1)
         target_str = cli_strdup(YARATARGET1);
@@ -3461,23 +3462,26 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op
 
         lsig->type = CLI_NORMAL_LSIG;
         lsig->u.logic = cli_mpool_strdup(engine->mempool, logic);
+        free(logic);
         if(!lsig->u.logic) {
             cli_errmsg("load_oneyara: Can't allocate memory for lsig->logic\n");
             FREE_TDB(tdb);
             ytable_delete(&ytable);
-            free(logic);
             mpool_free(engine->mempool, lsig);
             return CL_EMEM;
         }
     } else {
-        cli_errmsg("load_oneyara: Unsupported logic type\n");
-        FREE_TDB(tdb);
-        ytable_delete(&ytable);
-        free(logic);
-        mpool_free(engine->mempool, lsig);
-        return CL_EMEM;
+        if (NULL != (lsig->u.code_start = rule->code_start)) {
+        lsig->type = CLI_NORMAL_YARA;
+        } else {
+            cli_errmsg("load_oneyara: code start is NULL\n");
+            FREE_TDB(tdb);
+            ytable_delete(&ytable);
+            mpool_free(engine->mempool, lsig);
+            return CL_EMEM;
+        }
     }
-    free(logic);
+
 
     lsigid[0] = lsig->id = root->ac_lsigs;
 
@@ -4325,6 +4329,8 @@ int cl_engine_free(struct cl_engine *engine)
 		    for(j = 0; j < root->ac_lsigs; j++) {
 			if (root->ac_lsigtable[j]->type == CLI_NORMAL_LSIG)
 			    mpool_free(engine->mempool, root->ac_lsigtable[j]->u.logic);
+			else if (root->ac_lsigtable[j]->type == CLI_NORMAL_YARA)
+			    free(root->ac_lsigtable[j]->u.code_start);
 			FREE_TDB(root->ac_lsigtable[j]->tdb);
 			mpool_free(engine->mempool, root->ac_lsigtable[j]);
 		    }

libclamav/yara_arena.c

@@ -295,7 +295,7 @@ void yr_arena_destroy(
   yr_free(arena);
 }
 
-#if REAL_YARA
+
 //
 // yr_arena_base_address
 //
@@ -333,7 +333,6 @@ void* yr_arena_base_address(
 // Returns:
 //    A pointer
 //
-#endif
 
 void* yr_arena_next_address(
   YR_ARENA* arena,
@@ -384,7 +383,7 @@ void* yr_arena_next_address(
   return NULL;
 }
 
-#if REAL_YARA
+
 //
 // yr_arena_coalesce
 //
@@ -488,7 +487,6 @@ int yr_arena_coalesce(
 
   return ERROR_SUCCESS;
 }
-#endif
 
 //
 // yr_arena_reserve_memory

libclamav/yara_clam.h

@@ -539,6 +539,7 @@ struct _yc_rule {
     STAILQ_HEAD(sq, _yc_string) strings;
     char * identifier;
     uint32_t g_flags;
+    uint8_t * code_start;
 };
 typedef struct _yc_rule yc_rule;
 typedef struct _yc_string {

libclamav/yara_parser.c

@@ -702,6 +702,7 @@ int yr_parser_reduce_rule_declaration(
 
   YR_RULE* rule;
   YR_STRING* string;
+  int8_t halt = OP_HALT;
 
   if (yr_hash_table_lookup(
         compiler->rules_table,
@@ -799,6 +800,19 @@ int yr_parser_reduce_rule_declaration(
   compiler->current_rule_strings = NULL;
 #else
   compiler->current_rule_flags = 0;
+  // Write halt instruction at the end of code.
+  yr_arena_write_data(
+      compiler->code_arena,
+      &halt,
+      sizeof(int8_t),
+      NULL);
+  //TBD: seems like we will need the following yr_arena_coalesce, but it is not working.
+  //Yara condition code will work OK as long as it is less than 64K.
+  //FAIL_ON_COMPILER_ERROR(yr_arena_coalesce(compiler->code_arena));
+  rule->code_start = yr_arena_base_address(compiler->code_arena);
+  compiler->code_arena->page_list_head->address = NULL;
+  yr_arena_destroy(compiler->code_arena);
+  FAIL_ON_COMPILER_ERROR(yr_arena_create(65536, 0, &compiler->code_arena));
   STAILQ_INSERT_TAIL(&compiler->rule_q, rule, link); 
 #endif
   return compiler->last_result;