@@ -1,3 +1,15 @@

+Tue Sep  1 20:50:12 CEST 2009 (tk)

+----------------------------------

+ * libclamav: use BM matcher in offset mode for PE files larger than 256kB

+	      (10% speedup on average; 30-40% for large executables)

+

+Tue Sep  1 11:11:43 CEST 2009 (tk)

+----------------------------------

+ * libclamav: in bm_offmode only load sigs with non-floating absolute and

+	      relative offsets into BM matcher (load other ones into AC)

+	      and use per-file computed offset table to pick up best shifts

+	      (not enabled by default, bb#1300)

+

 Sun Aug 30 23:56:49 CEST 2009 (acab)

 ------------------------------------

  * libclamav: unify CL_TYPE_MAIL scanning

@@ -25,14 +25,11 @@

 #define CLI_DEFAULT_AC_MAXDEPTH	    3

 #define CLI_DEFAULT_AC_TRACKLEN	    8

-#define CLI_DEFAULT_MOVETOAC_LEN    8 /* all static sigs shorter than

-				       * this value will automatically

-				       * go to AC instead of BM

-				       */

-

 #define CLI_DEFAULT_LSIG_BUFSIZE    32768

 #define CLI_DEFAULT_DBIO_BUFSIZE    CLI_DEFAULT_LSIG_BUFSIZE + 1

+#define CLI_DEFAULT_BM_OFFMODE_FSIZE	262144

+

 #define CLI_DEFAULT_MAXSCANSIZE	    104857600

 #define CLI_DEFAULT_MAXFILESIZE	    26214400

 #define CLI_DEFAULT_MAXRECLEVEL	    16

@@ -851,7 +851,7 @@ int cli_ac_caloff(const struct cli_matcher *root, struct cli_ac_data *data, stru

 	    if(info.exeinfo.section)

 		free(info.exeinfo.section);

 	    return ret;

-	} else if(data->offset[patt->offset_min] + patt->length > info.fsize) {

+	} else if((data->offset[patt->offset_min] != CLI_OFF_NONE) && (data->offset[patt->offset_min] + patt->length > info.fsize)) {

 	    data->offset[patt->offset_min] = CLI_OFF_NONE;

 	}

     }

@@ -104,6 +104,17 @@ int cli_bm_addpatt(struct cli_matcher *root, struct cli_bm_patt *pattern, const

     pattern->pattern0 = pattern->pattern[0];

     root->bm_suffix[idx]->cnt++;

+    if(root->bm_offmode) {

+	root->bm_pattab = (struct cli_bm_patt **) mpool_realloc2(root->mempool, root->bm_pattab, (root->bm_patterns + 1) * sizeof(struct cli_bm_patt *));

+	if(!root->bm_pattab) {

+	    cli_errmsg("cli_bm_addpatt: Can't allocate memory for root->bm_pattab\n");

+	    return CL_EMEM;

+	}

+	root->bm_pattab[root->bm_patterns] = pattern;

+	if(pattern->offdata[0] != CLI_OFF_ABSOLUTE)

+	    pattern->offset_min = root->bm_patterns;

+    }

+

     root->bm_patterns++;

     return CL_SUCCESS;

 }

@@ -114,6 +125,7 @@ int cli_bm_init(struct cli_matcher *root)

 #ifdef USE_MPOOL

     assert (root->mempool && "mempool must be initialized");

 #endif

+

     if(!(root->bm_shift = (uint8_t *) mpool_calloc(root->mempool, size, sizeof(uint8_t))))

 	return CL_EMEM;

@@ -128,6 +140,73 @@ int cli_bm_init(struct cli_matcher *root)

     return CL_SUCCESS;

 }

+static int qcompare(const void *a, const void *b)

+{

+    return *(const uint32_t *)a - *(const uint32_t *)b;

+}

+

+int cli_bm_initoff(const struct cli_matcher *root, struct cli_bm_off *data, struct F_MAP *map)

+{

+	int ret;

+	unsigned int i;

+	struct cli_bm_patt *patt;

+	struct cli_target_info info;

+

+

+    if(!root->bm_patterns) {

+	data->offtab = data->offset = 0;

+	data->cnt = data->pos = 0;

+	return CL_SUCCESS;

+    }

+    memset(&info, 0, sizeof(info));

+    info.fsize = map->len;

+

+    data->cnt = data->pos = 0;

+    data->offtab = (uint32_t *) cli_malloc(root->bm_patterns * sizeof(uint32_t));

+    if(!data->offtab) {

+	cli_errmsg("cli_bm_initoff: Can't allocate memory for data->offtab\n");

+	return CL_EMEM;

+    }

+    data->offset = (uint32_t *) cli_malloc(root->bm_patterns * sizeof(uint32_t));

+    if(!data->offset) {

+	cli_errmsg("cli_bm_initoff: Can't allocate memory for data->offset\n");

+	free(data->offtab);

+	return CL_EMEM;

+    }

+    for(i = 0; i < root->bm_patterns; i++) {

+	patt = root->bm_pattab[i];

+	if(patt->offdata[0] == CLI_OFF_ABSOLUTE) {

+	    data->offtab[data->cnt] = patt->offset_min + patt->prefix_length;

+	    data->cnt++;

+	} else if((ret = cli_caloff(NULL, &info, map, root->type, patt->offdata, &data->offset[patt->offset_min], NULL))) {

+	    cli_errmsg("cli_bm_initoff: Can't calculate relative offset in signature for %s\n", patt->virname);

+	    if(info.exeinfo.section)

+		free(info.exeinfo.section);

+	    free(data->offtab);

+	    free(data->offset);

+	    return ret;

+	} else if((data->offset[patt->offset_min] != CLI_OFF_NONE) && (data->offset[patt->offset_min] + patt->length <= info.fsize)) {

+	    if(!data->cnt || (data->offset[patt->offset_min] != data->offtab[data->cnt - 1])) {

+		data->offtab[data->cnt] = data->offset[patt->offset_min] + patt->prefix_length;

+		data->cnt++;

+	    }

+	}

+    }

+    if(info.exeinfo.section)

+	free(info.exeinfo.section);

+

+    qsort(data->offtab, data->cnt, sizeof(uint32_t), qcompare);

+    return CL_SUCCESS;

+}

+

+void cli_bm_freeoff(struct cli_bm_off *data)

+{

+    free(data->offset);

+    data->offset = NULL;

+    free(data->offtab);

+    data->offtab = NULL;

+}

+

 void cli_bm_free(struct cli_matcher *root)

 {

 	struct cli_bm_patt *patt, *prev;

@@ -137,6 +216,9 @@ void cli_bm_free(struct cli_matcher *root)

     if(root->bm_shift)

 	mpool_free(root->mempool, root->bm_shift);

+    if(root->bm_pattab)

+	mpool_free(root->mempool, root->bm_pattab);

+

     if(root->bm_suffix) {

 	for(i = 0; i < size; i++) {

 	    patt = root->bm_suffix[i];

@@ -156,7 +238,7 @@ void cli_bm_free(struct cli_matcher *root)

     }

 }

-int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, const struct cli_matcher *root, uint32_t offset, struct F_MAP *map)

+int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, const struct cli_matcher *root, uint32_t offset, struct F_MAP *map, struct cli_bm_off *offdata)

 {

 	uint32_t i, j, off, off_min, off_max;

 	uint8_t found, pchain, shift;

@@ -174,7 +256,13 @@ int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 	return CL_CLEAN;

     memset(&info, 0, sizeof(info));

-    for(i = BM_MIN_LENGTH - BM_BLOCK_SIZE; i < length - BM_BLOCK_SIZE + 1; ) {

+    i = BM_MIN_LENGTH - BM_BLOCK_SIZE;

+    if(offdata) {

+	if(offdata->pos == offdata->cnt)

+	    return CL_CLEAN;

+	i += offdata->offtab[offdata->pos] - offset;

+    }

+    for(; i < length - BM_BLOCK_SIZE + 1; ) {

 	idx = HASH(buffer[i], buffer[i + 1], buffer[i + 2]);

 	shift = root->bm_shift[idx];

@@ -182,7 +270,15 @@ int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 	    prefix = buffer[i - BM_MIN_LENGTH + BM_BLOCK_SIZE];

 	    p = root->bm_suffix[idx];

 	    if(p && p->cnt == 1 && p->pattern0 != prefix) {

-		i++;

+		if(offdata) {

+		    off = offset + i - BM_MIN_LENGTH + BM_BLOCK_SIZE;

+		    for(; off >= offdata->offtab[offdata->pos] && offdata->pos < offdata->cnt; offdata->pos++);

+		    if(offdata->pos == offdata->cnt || off >= offdata->offtab[offdata->pos])

+			return CL_CLEAN;

+		    i += offdata->offtab[offdata->pos] - off;

+		} else {

+		    i++;

+		}

 		continue;

 	    }

 	    pchain = 0;

@@ -202,6 +298,18 @@ int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 		    continue;

 		}

+		if(offdata) {

+		    if(p->offdata[0] == CLI_OFF_ABSOLUTE) {

+			if(p->offset_min != offset + off - p->prefix_length) {

+			    p = p->next;

+			    continue;

+			}

+		    } else if((offdata->offset[p->offset_min] == CLI_OFF_NONE) || (offdata->offset[p->offset_min] != offset + off - p->prefix_length)) {

+			p = p->next;

+			continue;

+		    }

+		}

+

 		idxchk = MIN(p->length, length - off) - 1;

 		if(idxchk) {

 		    if((bp[idxchk] != p->pattern[idxchk]) ||  (bp[idxchk / 2] != p->pattern[idxchk / 2])) {

@@ -227,7 +335,7 @@ int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 		}

 		if(found && p->length + p->prefix_length == j) {

-		    if(p->offset_min != CLI_OFF_ANY) {

+		    if(!offdata && (p->offset_min != CLI_OFF_ANY)) {

 			if(p->offdata[0] != CLI_OFF_ABSOLUTE) {

 			    ret = cli_caloff(NULL, &info, map, root->type, p->offdata, &off_min, &off_max);

 			    if(ret != CL_SUCCESS) {

@@ -252,14 +360,21 @@ int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 			free(info.exeinfo.section);

 		    return CL_VIRUS;

 		}

-

 		p = p->next;

 	    }

-

 	    shift = 1;

 	}

-	i += shift;

+	if(offdata) {

+	    off = offset + i - BM_MIN_LENGTH + BM_BLOCK_SIZE;

+	    for(; off >= offdata->offtab[offdata->pos] && offdata->pos < offdata->cnt; offdata->pos++);

+	    if(offdata->pos == offdata->cnt || off >= offdata->offtab[offdata->pos])

+		return CL_CLEAN;

+	    i += offdata->offtab[offdata->pos] - off;

+	} else {

+	    i += shift;

+	}

+

     }

     if(info.exeinfo.section)

@@ -36,9 +36,15 @@ struct cli_bm_patt {

     unsigned char pattern0;

 };

+struct cli_bm_off {

+    uint32_t *offset, *offtab, cnt, pos;

+};

+

 int cli_bm_addpatt(struct cli_matcher *root, struct cli_bm_patt *pattern, const char *offset);

 int cli_bm_init(struct cli_matcher *root);

-int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, const struct cli_matcher *root, uint32_t offset, struct F_MAP *map);

+int cli_bm_initoff(const struct cli_matcher *root, struct cli_bm_off *data, struct F_MAP *map);

+void cli_bm_freeoff(struct cli_bm_off *data);

+int cli_bm_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, const struct cli_matcher *root, uint32_t offset, struct F_MAP *map, struct cli_bm_off *offdata);

 void cli_bm_free(struct cli_matcher *root);

 #endif

@@ -77,7 +77,7 @@ int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset,

 	if(!acdata && (ret = cli_ac_initdata(&mdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)))

 	    return ret;

-	if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, offset, NULL)) != CL_VIRUS)

+	if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, offset, NULL, NULL)) != CL_VIRUS)

 	    ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, troot, acdata ? (acdata[0]) : (&mdata), offset, ftype, NULL, AC_SCAN_VIR, NULL);

 	if(!acdata)

@@ -90,7 +90,7 @@ int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset,

     if(!acdata && (ret = cli_ac_initdata(&mdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)))

 	return ret;

-    if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, offset, NULL)) != CL_VIRUS)

+    if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, offset, NULL, NULL)) != CL_VIRUS)

 	ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, groot, acdata ? (acdata[1]) : (&mdata), offset, ftype, NULL, AC_SCAN_VIR, NULL);

     if(!acdata)

@@ -199,7 +199,9 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, struct F_MAP *m

     } else {

 	/* calculate relative offsets */

 	if(info->status == -1) {

-	    *offset_min = *offset_max = 0;

+	    *offset_min = CLI_OFF_NONE;

+	    if(offset_max)

+		*offset_max = CLI_OFF_NONE;

 	    return CL_SUCCESS;

 	}

@@ -222,7 +224,9 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, struct F_MAP *m

 	    if(einfo(map, &info->exeinfo)) {

 		/* einfo *may* fail */

 		info->status = -1;

-		*offset_min = *offset_max = 0;

+		*offset_min = CLI_OFF_NONE;

+		if(offset_max)

+		    *offset_max = CLI_OFF_NONE;

 		return CL_SUCCESS;

 	    }

 	    info->status = 1;

@@ -247,7 +251,7 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, struct F_MAP *m

 	    case CLI_OFF_SX_PLUS:

 		if(offdata[3] >= info->exeinfo.nsections)

-		    *offset_min = 0;

+		    *offset_min = CLI_OFF_NONE;

 		else

 		    *offset_min = info->exeinfo.section[offdata[3]].raw + offdata[1];

 		break;

@@ -257,9 +261,7 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, struct F_MAP *m

 		return CL_EARG;

 	}

-	if(!*offset_min)

-	    *offset_max = 0;

-	else

+	if(offset_max && *offset_min != CLI_OFF_NONE)

 	    *offset_max = *offset_min + offdata[2];

     }

@@ -287,7 +289,7 @@ int cli_checkfp(int fd, cli_ctx *ctx)

 	    return 0;

 	}

-	if(cli_bm_scanbuff(digest, 16, &virname, ctx->engine->md5_fp, 0, NULL) == CL_VIRUS) {

+	if(cli_bm_scanbuff(digest, 16, &virname, ctx->engine->md5_fp, 0, NULL, NULL) == CL_VIRUS) {

 	    cli_dbgmsg("cli_checkfp(): Found false positive detection (fp sig: %s)\n", virname);

 	    free(digest);

 	    lseek(fd, pos, SEEK_SET);

@@ -318,10 +320,11 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

 {

  	unsigned char *buff;

 	int ret = CL_CLEAN, type = CL_CLEAN, bytes;

-	unsigned int i, evalcnt;

+	unsigned int i, evalcnt, bm_offmode = 0;

 	uint32_t maxpatlen, offset = 0;

 	uint64_t evalids;

 	struct cli_ac_data gdata, tdata;

+	struct cli_bm_off toff;

 	cli_md5_ctx md5ctx;

 	unsigned char digest[16];

 	struct cli_matcher *groot = NULL, *troot = NULL;

@@ -366,6 +369,17 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

 		cli_ac_freedata(&gdata);

 	    return ret;

 	}

+	if(troot->bm_offmode) {

+	    if(map->len >= CLI_DEFAULT_BM_OFFMODE_FSIZE) {

+		if((ret = cli_bm_initoff(troot, &toff, map))) {

+		    if(!ftonly)

+			cli_ac_freedata(&gdata);

+		    cli_ac_freedata(&tdata);

+		    return ret;

+		}

+		bm_offmode = 1;

+	    }

+	}

     }

     if(!ftonly && ctx->engine->md5_hdb)

@@ -380,13 +394,14 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

 	    *ctx->scanned += bytes / CL_COUNT_PRECISION;

 	if(troot) {

-	    if(troot->ac_only || (ret = cli_bm_scanbuff(buff, bytes, ctx->virname, troot, offset, map)) != CL_VIRUS)

+	    if(troot->ac_only || (ret = cli_bm_scanbuff(buff, bytes, ctx->virname, troot, offset, map, bm_offmode ? &toff : NULL)) != CL_VIRUS)

 		ret = cli_ac_scanbuff(buff, bytes, ctx->virname, NULL, NULL, troot, &tdata, offset, ftype, ftoffset, acmode, NULL);

-

 	    if(ret == CL_VIRUS) {

 		if(!ftonly)

 		    cli_ac_freedata(&gdata);

 		cli_ac_freedata(&tdata);

+		if(bm_offmode)

+		    cli_bm_freeoff(&toff);

 		if(cli_checkfp(map->fd, ctx))

 		    return CL_CLEAN;

@@ -396,13 +411,15 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

 	}

 	if(!ftonly) {

-	    if(groot->ac_only || (ret = cli_bm_scanbuff(buff, bytes, ctx->virname, groot, offset, map)) != CL_VIRUS)

+	    if(groot->ac_only || (ret = cli_bm_scanbuff(buff, bytes, ctx->virname, groot, offset, map, NULL)) != CL_VIRUS)

 		ret = cli_ac_scanbuff(buff, bytes, ctx->virname, NULL, NULL, groot, &gdata, offset, ftype, ftoffset, acmode, NULL);

-

 	    if(ret == CL_VIRUS) {

 		cli_ac_freedata(&gdata);

-		if(troot)

+		if(troot) {

 		    cli_ac_freedata(&tdata);

+		    if(bm_offmode)

+			cli_bm_freeoff(&toff);

+		}

 		if(cli_checkfp(map->fd, ctx))

 		    return CL_CLEAN;

 		else

@@ -433,6 +450,8 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

 	    }

 	}

 	cli_ac_freedata(&tdata);

+	if(bm_offmode)

+	    cli_bm_freeoff(&toff);

     }

     if(groot) {

@@ -459,7 +478,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

     if(!ftonly && ctx->engine->md5_hdb) {

 	cli_md5_final(digest, &md5ctx);

-	if(cli_bm_scanbuff(digest, 16, ctx->virname, ctx->engine->md5_hdb, 0, NULL) == CL_VIRUS && (cli_bm_scanbuff(digest, 16, NULL, ctx->engine->md5_fp, 0, NULL) != CL_VIRUS))

+	if(cli_bm_scanbuff(digest, 16, ctx->virname, ctx->engine->md5_hdb, 0, NULL, NULL) == CL_VIRUS && (cli_bm_scanbuff(digest, 16, NULL, ctx->engine->md5_fp, 0, NULL, NULL) != CL_VIRUS))

 	    return CL_VIRUS;

     }

@@ -73,10 +73,10 @@ struct cli_matcher {

     /* Extended Boyer-Moore */

     uint8_t *bm_shift;

-    struct cli_bm_patt **bm_suffix;

+    struct cli_bm_patt **bm_suffix, **bm_pattab;

     struct cli_hashset md5_sizes_hs;

     uint32_t *soff, soff_len; /* for PE section sigs */

-    uint32_t bm_patterns, bm_reloff_num, bm_absoff_num;

+    uint32_t bm_offmode, bm_patterns, bm_reloff_num, bm_absoff_num;

     /* Extended Aho-Corasick */

     uint32_t ac_partsigs, ac_nodes, ac_patterns, ac_lsigs;

@@ -900,9 +900,8 @@ int cli_scanpe(cli_ctx *ctx)

 		for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <= exe_sections[i].rsz; j++) {

 		    if(md5_sect->soff[j] == exe_sections[i].rsz) {

 			unsigned char md5_dig[16];

-			if(cli_md5sect(map, &exe_sections[i], md5_dig) && cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_mdb, 0, NULL) == CL_VIRUS) {

-			    if(cli_bm_scanbuff(md5_dig, 16, NULL, ctx->engine->md5_fp, 0, NULL) != CL_VIRUS) {

-

+			if(cli_md5sect(map, &exe_sections[i], md5_dig) && cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_mdb, 0, NULL, NULL) == CL_VIRUS) {

+			    if(cli_bm_scanbuff(md5_dig, 16, NULL, ctx->engine->md5_fp, 0, NULL, NULL) != CL_VIRUS) {

 				free(section_hdr);

 				free(exe_sections);

 				return cli_checkfp(map->fd, ctx) ? CL_CLEAN : CL_VIRUS;

@@ -1198,13 +1198,13 @@ static int hash_match(const struct regex_matcher *rlist, const char *host, size_

 	    h[64]='\0';

 	    cli_dbgmsg("Looking up hash %s for %s(%u)%s(%u)\n", h, host, (unsigned)hlen, path, (unsigned)plen);

 	    if (prefix_matched) {

-		if (cli_bm_scanbuff(sha256_dig, 4, &virname, &rlist->hostkey_prefix,0,NULL) == CL_VIRUS) {

+		if (cli_bm_scanbuff(sha256_dig, 4, &virname, &rlist->hostkey_prefix,0,NULL,NULL) == CL_VIRUS) {

 		    cli_dbgmsg("prefix matched\n");

 		    *prefix_matched = 1;

 		} else

 		    return CL_SUCCESS;

 	    }

-	    if (cli_bm_scanbuff(sha256_dig, 32, &virname, &rlist->sha256_hashes,0,NULL) == CL_VIRUS) {

+	    if (cli_bm_scanbuff(sha256_dig, 32, &virname, &rlist->sha256_hashes,0,NULL,NULL) == CL_VIRUS) {

 		cli_dbgmsg("This hash matched: %s\n", h);

 		switch(*virname) {

 		    case 'W':

@@ -246,7 +246,7 @@ int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hex

 	    free(pt);

 	}

-    } else if(root->ac_only || type || lsigid /* || (hexlen / 2 < CLI_DEFAULT_MOVETOAC_LEN) FIXME: unit tests */ ||  strpbrk(hexsig, "?(")) {

+    } else if(root->ac_only || type || lsigid || strpbrk(hexsig, "?(") || (root->bm_offmode && (!strcmp(offset, "*") || strchr(offset, ',')))) {

 	if((ret = cli_ac_addsig(root, virname, hexsig, 0, 0, 0, rtype, type, 0, 0, offset, lsigid, options))) {

 	    cli_errmsg("cli_parse_add(): Problem adding signature (3).\n");

 	    return ret;

@@ -322,7 +322,7 @@ static int cli_initroots(struct cl_engine *engine, unsigned int options)

 	    }

 	}

     }

-

+    engine->root[1]->bm_offmode = 1; /* BM offset mode for PE files */

     return CL_SUCCESS;

 }

@@ -455,7 +455,7 @@ static int add_hash(struct regex_matcher *matcher, char* pattern, const char fl,

 	if (fl != 'W' && pat->length == 32 &&

 	    cli_hashset_contains(&matcher->sha256_pfx_set, cli_readint32(pat->pattern)) &&

-	    cli_bm_scanbuff(pat->pattern, 32, &vname, &matcher->sha256_hashes,0,NULL) == CL_VIRUS) {

+	    cli_bm_scanbuff(pat->pattern, 32, &vname, &matcher->sha256_hashes,0,NULL,NULL) == CL_VIRUS) {

 	    if (*vname == 'W') {

 		/* hash is whitelisted in local.gdb */

 		cli_dbgmsg("Skipping hash %s\n", pattern);

@@ -116,7 +116,7 @@ START_TEST (test_bm_scanbuff) {

     ret = cli_parse_add(root, "Sig3", "babedead", 0, 0, "*", 0, NULL, 0);

     fail_unless(ret == CL_SUCCESS, "cli_parse_add() failed");

-    ret = cli_bm_scanbuff("blah\xde\xad\xbe\xef", 12, &virname, root, 0, -1);

+    ret = cli_bm_scanbuff("blah\xde\xad\xbe\xef", 12, &virname, root, 0, -1,NULL);

     fail_unless(ret == CL_VIRUS, "cli_bm_scanbuff() failed");

     fail_unless(!strncmp(virname, "Sig2", 4), "Incorrect signature matched in cli_bm_scanbuff()\n");

     cli_bm_free(root);