@@ -578,7 +578,9 @@ libclamav_la_SOURCES = \

 	hwp.c \

 	hwp.h \

 	lzw/lzwdec.c \

-	lzw/lzwdec.h

+	lzw/lzwdec.h \

+	matcher-byte-comp.c \

+	matcher-byte-comp.h

 if ENABLE_YARA

 libclamav_la_SOURCES += yara_arena.c \

@@ -303,8 +303,9 @@ am__libclamav_la_SOURCES_DIST = matcher-ac.c matcher-ac.h matcher-bm.c \

 	msdoc.h matcher-pcre.c matcher-pcre.h regex_pcre.c \

 	regex_pcre.h msxml.c msxml.h msxml_parser.c msxml_parser.h \

 	tiff.c tiff.h hwp.c hwp.h lzw/lzwdec.c lzw/lzwdec.h \

-	yara_arena.c yara_arena.h yara_compiler.c yara_compiler.h \

-	yara_exec.c yara_exec.h yara_hash.c yara_hash.h yara_grammar.y \

+	matcher-byte-comp.c matcher-byte-comp.h yara_arena.c \

+	yara_arena.h yara_compiler.c yara_compiler.h yara_exec.c \

+	yara_exec.h yara_hash.c yara_hash.h yara_grammar.y \

 	yara_lexer.l yara_lexer.h yara_parser.c yara_parser.h \

 	yara_clam.h bignum.h bignum_fast.h \

 	tomsfastmath/addsub/fp_add.c tomsfastmath/addsub/fp_add_d.c \

@@ -445,7 +446,8 @@ am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \

 	libclamav_la-msdoc.lo libclamav_la-matcher-pcre.lo \

 	libclamav_la-regex_pcre.lo libclamav_la-msxml.lo \

 	libclamav_la-msxml_parser.lo libclamav_la-tiff.lo \

-	libclamav_la-hwp.lo libclamav_la-lzwdec.lo $(am__objects_1) \

+	libclamav_la-hwp.lo libclamav_la-lzwdec.lo \

+	libclamav_la-matcher-byte-comp.lo $(am__objects_1) \

 	libclamav_la-fp_add.lo libclamav_la-fp_add_d.lo \

 	libclamav_la-fp_addmod.lo libclamav_la-fp_cmp.lo \

 	libclamav_la-fp_cmp_d.lo libclamav_la-fp_cmp_mag.lo \

@@ -1341,7 +1343,8 @@ libclamav_la_SOURCES = matcher-ac.c matcher-ac.h matcher-bm.c \

 	openioc.h msdoc.c msdoc.h matcher-pcre.c matcher-pcre.h \

 	regex_pcre.c regex_pcre.h msxml.c msxml.h msxml_parser.c \

 	msxml_parser.h tiff.c tiff.h hwp.c hwp.h lzw/lzwdec.c \

-	lzw/lzwdec.h $(am__append_9) bignum.h bignum_fast.h \

+	lzw/lzwdec.h matcher-byte-comp.c matcher-byte-comp.h \

+	$(am__append_9) bignum.h bignum_fast.h \

 	tomsfastmath/addsub/fp_add.c tomsfastmath/addsub/fp_add_d.c \

 	tomsfastmath/addsub/fp_addmod.c tomsfastmath/addsub/fp_cmp.c \

 	tomsfastmath/addsub/fp_cmp_d.c \

@@ -1702,6 +1705,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-macho.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-ac.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-bm.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-byte-comp.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-hash.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-pcre.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher.Plo@am__quote@

@@ -2882,6 +2886,13 @@ libclamav_la-lzwdec.lo: lzw/lzwdec.c

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-lzwdec.lo `test -f 'lzw/lzwdec.c' || echo '$(srcdir)/'`lzw/lzwdec.c

+libclamav_la-matcher-byte-comp.lo: matcher-byte-comp.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-matcher-byte-comp.lo -MD -MP -MF $(DEPDIR)/libclamav_la-matcher-byte-comp.Tpo -c -o libclamav_la-matcher-byte-comp.lo `test -f 'matcher-byte-comp.c' || echo '$(srcdir)/'`matcher-byte-comp.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-matcher-byte-comp.Tpo $(DEPDIR)/libclamav_la-matcher-byte-comp.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='matcher-byte-comp.c' object='libclamav_la-matcher-byte-comp.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-matcher-byte-comp.lo `test -f 'matcher-byte-comp.c' || echo '$(srcdir)/'`matcher-byte-comp.c

+

 libclamav_la-yara_arena.lo: yara_arena.c

 @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-yara_arena.lo -MD -MP -MF $(DEPDIR)/libclamav_la-yara_arena.Tpo -c -o libclamav_la-yara_arena.lo `test -f 'yara_arena.c' || echo '$(srcdir)/'`yara_arena.c

 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-yara_arena.Tpo $(DEPDIR)/libclamav_la-yara_arena.Plo

new file mode 100644

@@ -0,0 +1,524 @@

+/*

+ *  Byte comparison matcher support functions

+ *

+ *  Copyright (C) 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *  All Rights Reserved.

+ *

+ *  Authors: Mickey Sola

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include "clamav.h"

+#include "cltypes.h"

+#include "others.h"

+#include "matcher.h"

+#include "matcher-ac.h"

+#include "matcher-byte-comp.h"

+#include "mpool.h"

+#include "readdb.h"

+#include "str.h"

+

+/* DEBUGGING */

+//#define MATCHER_BCOMP_DEBUG

+#ifdef MATCHER_BCOMP_DEBUG

+#  define bcm_dbgmsg(...) cli_dbgmsg( __VA_ARGS__)

+#else

+#  define bcm_dbgmsg(...)

+#endif

+#undef MATCHER_BCOMP_DEBUG

+

+/* BCOMP MATCHER FUNCTIONS */

+

+

+/**

+ * @brief function to add the byte compare subsig into the matcher root struct

+ *

+ * @param root the matcher root struct in question, houses all relevant lsig and subsig info

+ * @param virname virusname as given by the signature

+ * @param hexsig the raw sub signature buffer itself which we will be checking/parsing

+ * @param lsigid the numeric internal reference number which can be used to access this lsig in the root struct

+ * @param options additional options for pattern matching, stored as a bitmask

+ *

+ */

+int cli_bcomp_addpatt(struct cli_matcher *root, const char *virname, const char *hexsig, const char *offset, const uint32_t *lsigid, unsigned int options) {

+

+    if (!hexsig || !(*hexsig) || !root)

+        return CL_ENULLARG;

+

+    size_t len = 0;

+    const char *buf_start = NULL;

+    const char *buf_end = NULL;

+    char *buf = NULL;

+    const char *tokens[3];

+    size_t toks = 0;

+    int16_t ref_subsigid = -1;

+    int64_t offset_param = 0;

+    size_t byte_length = 0;

+    uint32_t comp_val = 0;

+    char *hexcpy = NULL;

+

+    /* we'll be using these to help the root matcher struct keep track of each loaded byte compare pattern */

+    struct cli_bcomp_meta **newmetatable; 

+    uint32_t bcomp_count = 0;

+

+    /* zero out our byte compare data struct and tie it to the root struct's mempool instance */

+    struct cli_bcomp_meta *bcomp;

+    bcomp = (struct cli_bcomp_meta *) mpool_calloc(root->mempool, 1, sizeof(*bcomp));

+    if (!bcomp) {

+        cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for new byte compare meta\n");

+        return CL_EMEM;

+    }

+

+    /* allocate virname space with the root structure's mempool instance */

+    bcomp->virname = (char *) cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL);

+    if(!bcomp->virname) {

+        cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for virname or NULL virname\n");

+        cli_bcomp_freemeta(root, bcomp);

+        return CL_EMEM;

+    }

+

+    /* bring along the standard lsigid vector, first param marks validity of vector, 2nd is lsigid, 3rd is subsigid */

+    if (lsigid) {

+        root->ac_lsigtable[lsigid[0]]->virname = bcomp->virname;

+

+        bcomp->lsigid[0] = 1;

+        bcomp->lsigid[1] = lsigid[0];

+        bcomp->lsigid[2] = lsigid[1];

+    }

+    else {

+        /* sigtool */

+        bcomp->lsigid[0] = 0;

+    }

+

+    /* first need to grab the subsig reference, we'll use this later to determine our offset */

+    buf_start = hexsig;

+    buf_end = hexsig;

+

+    ref_subsigid = strtol(buf_start, (char**) &buf_end, 10);

+    if (buf_end && buf_end[0] != '(') {

+        cli_errmsg("cli_bcomp_addpatt: while byte compare subsig parsing, reference subsig id was invalid or included non-decimal character\n");

+        cli_bcomp_freemeta(root, bcomp);

+        return CL_EMALFDB;

+    }

+

+    bcomp->ref_subsigid = ref_subsigid;

+

+    /* use the passed hexsig buffer to find the start and ending parens and store the param length (minus starting paren) */

+    buf_start = buf_end;

+    if (buf_start[0] == '(') {

+        if (buf_end = strchr(buf_start, ')')) {

+            len = (size_t) (buf_end - ++buf_start);

+        }

+        else {

+            cli_errmsg("cli_bcomp_addpatt: ending paren not found\n");

+            cli_bcomp_freemeta(root, bcomp);

+            return CL_EMALFDB;

+        }

+    }

+    else {

+            cli_errmsg("cli_bcomp_addpatt: opening paren not found\n");

+            cli_bcomp_freemeta(root, bcomp);

+            return CL_EMALFDB;

+    }

+

+    /* make a working copy of the param buffer */

+    buf = cli_strndup(buf_start, len);

+

+    /* break up the new param buffer into its component strings and verify we have exactly 3 */

+    toks = cli_strtokenize(buf, '#', 3+1, tokens);

+    if (3 != toks) {

+        cli_errmsg("cli_bcomp_addpatt: %zu (or more) params provided, 3 expected\n", toks);

+        free(buf);

+        cli_bcomp_freemeta(root, bcomp);

+        return CL_EMALFDB;

+    }

+

+    /* since null termination is super guaranteed thanks to strndup and cli_strokenize, we can use strtol to grab the

+     * offset params. this has the added benefit of letting us parse hex values too */

+    buf_end = NULL;

+    buf_start = tokens[0];

+    switch (buf_start[0]) {

+        case '<':

+            if ((++buf_start)[0]  == '<') {

+                offset_param = strtol(++buf_start, (char**) &buf_end, 0);

+                if (buf_end && buf_end+1 != tokens[1]) {

+                    cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), offset parameter included invalid characters\n", tokens[0], tokens[1], tokens[2]);

+                    free(buf);

+                    cli_bcomp_freemeta(root, bcomp);

+                    return CL_EMALFDB;

+                }

+                /* two's-complement for negative value */

+                offset_param = (~offset_param) + 1;

+

+             } else {

+                    cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), shift operator not valid\n", tokens[0], tokens[1], tokens[2]);

+                    free(buf);

+                    cli_bcomp_freemeta(root, bcomp);

+                    return CL_EMALFDB;

+             }

+            break;

+

+        case '>':

+            if ((++buf_start)[0]  == '>') {

+                offset_param = strtol(buf_start, (char**) &buf_end, 0);

+                if (buf_end && buf_end+1 != tokens[1]) {

+                    cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), offset parameter included invalid characters\n", tokens[0], tokens[1], tokens[2]);

+                    free(buf);

+                    cli_bcomp_freemeta(root, bcomp);

+                    return CL_EMALFDB;

+                }

+                break;

+            } else {

+                    cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), shift operator and/or offset not valid\n", tokens[0], tokens[1], tokens[2]);

+                    free(buf);

+                    cli_bcomp_freemeta(root, bcomp);

+                    return CL_EMALFDB;

+            }

+        case '0':

+        case '\0':

+            offset_param = 0;

+            break;

+

+        default:

+            cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), shift operator included invalid characters\n", tokens[0], tokens[1], tokens[2]);

+            free(buf);

+            cli_bcomp_freemeta(root, bcomp);

+            return CL_EMALFDB;

+    }

+

+    bcomp->offset = offset_param;

+

+    /* the byte length indicator options are stored in a bitmask--by design each option gets its own nibble */

+    buf_start = tokens[1];

+

+    switch (*buf_start) {

+        case 'h': bcomp->options |= CLI_BCOMP_HEX;    break;

+        case 'd': bcomp->options |= CLI_BCOMP_DEC;    break;

+

+        default:

+            cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), hex/decimal byte length indicator was found invalid\n", tokens[0], tokens[1], tokens[2]);

+            free(buf);

+            cli_bcomp_freemeta(root, bcomp);

+            return CL_EMALFDB;

+    }

+

+    buf_start++;

+    switch (*buf_start) {

+        case 'l': bcomp->options |= CLI_BCOMP_LE;    break;

+        case 'b': bcomp->options |= CLI_BCOMP_BE;    break;

+

+        default:

+            cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), little/big endian byte length indicator was invalid\n", tokens[0], tokens[1], tokens[2]);

+            free(buf);

+            cli_bcomp_freemeta(root, bcomp);

+            return CL_EMALFDB;

+    }

+

+    /* parse out the byte length parameter */

+    buf_start++;

+    buf_end = NULL;

+    byte_length = strtol(buf_start, (char **) &buf_end, 0);

+    if (buf_end && buf_end+1 != tokens[2]) {

+        cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), byte length parameter included invalid characters\n", tokens[0], tokens[1], tokens[3]);

+        free(buf);

+        cli_bcomp_freemeta(root, bcomp);

+        return CL_EMALFDB;

+    }

+

+    bcomp->byte_len = byte_length;

+

+    /* currectly only >, <, and = are supported comparison symbols--this makes parsing very simple */

+    buf_start = tokens[2];

+    switch (*buf_start) {

+        case '<':

+        case '>':

+        case '=':

+            bcomp->comp_symbol = *buf_start;    break;

+

+        default:

+            cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), byte comparison symbol was invalid (>, <, = are supported operators)\n", tokens[0], tokens[1], tokens[2]);

+            free(buf);

+            cli_bcomp_freemeta(root, bcomp);

+            return CL_EMALFDB;

+    }

+

+

+    /* no more tokens after this, so we take advantage of strtol and check if the buf_end is null terminated or not */

+    buf_start++;

+    buf_end = NULL;

+    comp_val = strtol(buf_start, (char **) &buf_end, 0);

+    if (*buf_end) {

+        cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), comparison value contained invalid input\n", tokens[0], tokens[1], tokens[2]);

+        free(buf);

+        cli_bcomp_freemeta(root, bcomp);

+        return CL_EMALFDB;

+    }

+

+    bcomp->comp_value = comp_val;

+

+    /* manually verify successful pattern parsing */

+    bcm_dbgmsg("Matcher Byte Compare: (%s%ld#%c%c%zu#%c%d)\n",

+                    bcomp->offset ==  0 ? "" : 

+                    (bcomp->offset < 0 ? "<<" : ">>"),

+                    bcomp->offset,

+                    bcomp->options & CLI_BCOMP_HEX ? 'h' : 'd',

+                    bcomp->options & CLI_BCOMP_LE ? 'l' : 'b',

+                    bcomp->byte_len,

+                    bcomp->comp_symbol,

+                    bcomp->comp_value);

+

+    /* add byte compare info to the root after reallocation */

+    bcomp_count = root->bcomp_metas+1;

+

+    /* allocate space for new meta table to store in root structure and increment number of byte compare patterns added */

+    newmetatable = (struct cli_bcomp_meta **) mpool_realloc(root->mempool, root->bcomp_metatable, bcomp_count * sizeof(struct cli_bcomp_meta *));

+    if(!newmetatable) {

+        cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for new bcomp meta table\n");

+        cli_bcomp_freemeta(root, bcomp);

+        return CL_EMEM;

+    }

+

+    newmetatable[bcomp_count-1] = bcomp;

+    root->bcomp_metatable = newmetatable;

+

+    root->bcomp_metas = bcomp_count;

+

+    /* if everything went well bcomp has been totally populated, which means we can cleanup and exit */

+    free(buf);

+    return CL_SUCCESS;

+}

+

+/**

+ * @brief function to perform all byte compare matching on the file buffer

+ *

+ * @param map the file map to perform logical byte comparison upon

+ * @param res the result structure, primarily used by sigtool

+ * @param root the root structure in which all byte compare lsig and subsig information is stored

+ * @param mdata the ac data struct which contains offset information from recent subsig matches

+ * @param ctx the clamav context struct

+ *

+ */

+int cli_bcomp_scanbuf(fmap_t *map, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, cli_ctx *ctx) {

+

+    int64_t i = 0, rc = 0, ret = CL_SUCCESS;

+    uint32_t lsigid, ref_subsigid;

+    uint32_t offset = 0;

+    uint8_t viruses_found = 0;

+    struct cli_bcomp_meta *bcomp = NULL;

+

+    if (!(root) || !(root->bcomp_metas) || !(root->bcomp_metatable) || !(mdata) || !(mdata->offmatrix) || !(ctx)) {

+        return CL_SUCCESS;

+    }

+

+    for(i = 0; i < root->bcomp_metas; i++) {

+

+        bcomp = root->bcomp_metatable[i];

+        lsigid = bcomp->lsigid[1];

+        ref_subsigid = bcomp->ref_subsigid;

+

+        /* ensures the referenced subsig matches as expected, and also ensures mdata has the needed offset */

+        if (ret = lsig_sub_matched(root, mdata, lsigid, ref_subsigid, CLI_OFF_NONE, 0)) {

+            continue;

+        }

+

+        /* grab the needed offset using from the last matched subsig offset matrix, i.e. the match performed above */

+        if (mdata->lsigsuboff_last[lsigid]) {

+            offset = mdata->lsigsuboff_last[lsigid][ref_subsigid]; 

+        } else {

+            ret = CL_SUCCESS;

+            continue;

+        }

+

+        /* now we have all the pieces of the puzzle, so lets do our byte compare check */

+        ret = cli_bcmp_compare_check(map, offset, bcomp);

+

+        /* set and append our lsig's virus name if the comparison came back positive */

+        if (CL_VIRUS == ret) {

+            viruses_found = 1;

+

+            if (virname) {

+                *virname = bcomp->virname;

+            }

+            /* if we aren't scanning all, let's just exit here */

+            if (!SCAN_ALL) {

+                break;

+            } else {

+                ret = cli_append_virus(ctx, (const char *)bcomp->virname);

+            }

+        }

+    }

+

+    if (ret == CL_SUCCESS && viruses_found) {

+        return CL_VIRUS;

+    }

+    return ret;

+}

+

+/**

+ * @brief does a numerical, logical byte comparison on a particular offset given a filemapping and the offset

+ *

+ * @param map the file buffer we'll be accessing to do our comparison check

+ * @param offset the offset of the referenced subsig match from the start of the file buffer

+ * @param bm the byte comparison meta data struct, contains all the other info needed to do the comparison

+ *

+ */

+int cli_bcmp_compare_check(fmap_t *map, int offset, struct cli_bcomp_meta *bm)

+{

+    if (!map || !bm) {

+        bcm_dbgmsg("bcmp_compare_check: a param is null\n");

+        return CL_ENULLARG;

+    }

+

+    const uint32_t byte_len = bm->byte_len;

+    uint32_t length = map->len;

+    const unsigned char *buffer = NULL;

+    unsigned char *conversion_buf = NULL;

+    char opt = (char) bm->options;

+    uint32_t value = 0;

+    const unsigned char* end_buf = NULL;

+

+    /* ensure we won't run off the end of the file buffer */

+    if (bm->offset > 0) {

+        if (!((offset + bm->offset + byte_len <= length))) {

+            bcm_dbgmsg("bcmp_compare_check: %u bytes requested at offset %zu would go past file buffer of %u\n", byte_len, (offset + bm->offset), length);

+            return CL_CLEAN; 

+        }

+    } else {

+        if (!(offset + bm->offset > 0)) {

+            bcm_dbgmsg("bcmp_compare_check: negative offset would underflow buffer\n");

+            return CL_CLEAN; 

+        }

+    }

+

+    /* jump to byte compare offset, then store off specified bytes into a null terminated buffer */

+    offset += bm->offset;

+    buffer = fmap_need_off_once(map, offset, byte_len);

+    bcm_dbgmsg("bcmp_compare_check: literal extracted bytes before comparison (%s)\n", buffer);

+

+    /* handle byte length options to convert the string appropriately */

+    switch(opt) {

+        /*hl*/

+        case CLI_BCOMP_HEX | CLI_BCOMP_LE:

+            value = cli_strntoul(buffer, byte_len, (char**) &end_buf, 16);

+            if (value < 0 || NULL == end_buf || buffer+byte_len != end_buf) {

+                bcm_dbgmsg("bcmp_compare_check: little endian hex conversion unsuccessful\n");

+                return CL_CLEAN;

+            }

+

+            value = le32_to_host(value);

+            break;

+

+        /*hb*/  

+        case CLI_BCOMP_HEX | CLI_BCOMP_BE:

+            value = cli_strntoul(buffer, byte_len, (char**) &end_buf, 16);

+            if (value < 0 || NULL == end_buf || buffer+byte_len != end_buf) {

+

+                bcm_dbgmsg("bcmp_compare_check: big endian hex conversion unsuccessful\n");

+                return CL_CLEAN;

+            }

+

+            value = be32_to_host(value);

+            break;

+

+        /*dl*/

+        case CLI_BCOMP_DEC | CLI_BCOMP_LE:

+            value = cli_strntoul(buffer, byte_len, (char**) &end_buf, 10);

+            if (value < 0 || NULL == end_buf || buffer+byte_len != end_buf) {

+

+                bcm_dbgmsg("bcmp_compare_check: little endian decimal conversion unsuccessful\n");

+                return CL_CLEAN;

+            }

+

+            value = le32_to_host(value);

+            break;

+

+        /*db*/

+        case CLI_BCOMP_DEC | CLI_BCOMP_BE:

+            value = cli_strntoul(buffer, byte_len, (char**) &end_buf, 10);

+            if (value < 0 || NULL == end_buf || buffer+byte_len != end_buf) {

+

+                bcm_dbgmsg("bcmp_compare_check: big endian decimal conversion unsuccessful\n");

+                return CL_CLEAN;

+            }

+

+            value = be32_to_host(value);

+            break;

+

+        default:

+            return CL_ENULLARG;

+    }

+

+    /* do the actual comparison */

+    switch (bm->comp_symbol) {

+

+        case '>':

+            if (value > bm->comp_value) {

+                bcm_dbgmsg("bcmp_compare_check: extracted value (%u) greater than comparison value (%u)\n", value, bm->comp_value);

+                return CL_VIRUS;

+            }

+            break;

+

+        case '<':

+            if (value < bm->comp_value) {

+                bcm_dbgmsg("bcmp_compare_check: extracted value (%u) less than comparison value (%u)\n", value, bm->comp_value);

+                return CL_VIRUS;

+            }

+            break;

+

+        case '=':

+            if (value == bm->comp_value) {

+                bcm_dbgmsg("bcmp_compare_check: extracted value (%u) equal to comparison value (%u)\n", value, bm->comp_value);

+                return CL_VIRUS;

+            }

+            break;

+

+        default:

+            bcm_dbgmsg("bcmp_compare_check: comparison symbol (%c) invalid\n", bm->comp_symbol);

+            return CL_ENULLARG;

+    }

+

+    /* comparison was not successful */

+    bcm_dbgmsg("bcmp_compare_check: extracted value was not %c %u\n", bm->comp_symbol, bm->comp_value);

+    return CL_CLEAN;

+}

+

+/**

+ * @brief cleans up the byte compare data struct

+ *

+ * @param root the root matcher struct whose mempool instance the bcomp struct has been allocated with

+ * @param bm the bcomp struct to be freed

+ *

+ */

+void cli_bcomp_freemeta(struct cli_matcher *root, struct cli_bcomp_meta *bm) {

+

+    if(!bm) {

+        return;

+    }

+    

+    if (bm->virname) {

+        mpool_free(root->mempool, bm->virname);

+        bm->virname = NULL;

+    }

+    

+    mpool_free(root->mempool, bm);

+    bm = NULL;

+

+    return;

+}

new file mode 100644

@@ -0,0 +1,58 @@

+/*

+ *  Support for matcher using byte compare

+ *

+ *  Copyright (C) 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *  All Rights Reserved.

+ *

+ *  Authors: Mickey Sola

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#ifndef __MATCHER_BCOMP_H

+#define __MATCHER_BCOMP_H

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include <sys/types.h>

+

+#include "cltypes.h"

+#include "dconf.h"

+#include "mpool.h"

+

+#define CLI_BCOMP_HEX 0x0001

+#define CLI_BCOMP_DEC 0x0002

+#define CLI_BCOMP_LE  0x0010 

+#define CLI_BCOMP_BE  0x0020

+

+struct cli_bcomp_meta {

+    char *virname;

+    uint16_t ref_subsigid; /* identifies the dependent subsig from which we will do comparisons from */

+    uint32_t lsigid[3];

+    ssize_t offset; /* offset from the referenced subsig, handled at match-time */

+    uint16_t options; /* bitmask */

+    size_t byte_len;

+    char comp_symbol; /* <, >, = are supported */

+    uint32_t comp_value;

+};

+

+int cli_bcomp_addpatt(struct cli_matcher *root, const char *virname, const char* hexsig, const char *offset, const uint32_t *lsigid, unsigned int options);

+int cli_pcre_bcmp_compare_check(fmap_t *map, int offset, struct cli_bcomp_meta *bm);

+void cli_bcomp_freemeta(struct cli_matcher *root, struct cli_bcomp_meta *bm);

+int cli_bcomp_scanbuf(fmap_t *map, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, cli_ctx *ctx);

+

+#endif

@@ -321,15 +321,11 @@ int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *

         /* cli_pcre_addoptions handles pcre specific options */

         while (cli_pcre_addoptions(&(pm->pdata), &opt, 0) != CL_SUCCESS) {

-            /* handle matcher specific options here */

+            /* it will return here to handle any matcher specific options */

             switch (*opt) {

             case 'g':  pm->flags |= CLI_PCRE_GLOBAL;            break;

             case 'r':  pm->flags |= CLI_PCRE_ROLLING;           break;

             case 'e':  pm->flags |= CLI_PCRE_ENCOMPASS;         break;

-            case 'z':  if(CL_SUCCESS == cli_pcre_bcmp_add_opts(&opt, &pm->bcmp_data)) {

-                           pm->flags |= CLI_PCRE_BCOMP;

-                           break;

-                       }

             default:

                 cli_errmsg("cli_pcre_addpatt: unknown/extra pcre option encountered %c\n", *opt);

                 cli_pcre_freemeta(root, pm);

@@ -348,18 +344,6 @@ int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *

         else

             pm_dbgmsg("Matcher:  NONE\n");

-        if (pm->flags && pm->flags & CLI_PCRE_BCOMP) {

-            pm_dbgmsg("Matcher Byte Compare: (%zu#%c%c%zu#%c%d)\n",

-                      pm->bcmp_data.offset,

-                      pm->bcmp_data.options & CLI_PCRE_BCOMP_HEX ? 'h' : 'd',

-                      pm->bcmp_data.options & CLI_PCRE_BCOMP_LE ? 'l' : 'b',

-                      pm->bcmp_data.byte_len,

-                      pm->bcmp_data.comp_symbol,

-                      pm->bcmp_data.comp_value);

-        }

-        else

-            pm_dbgmsg("Matcher Byte Compare:  NONE\n");

-

         if (pm->pdata.options) {

 #if USING_PCRE2

             pm_dbgmsg("Compiler: %s%s%s%s%s%s%s\n",

@@ -410,125 +394,6 @@ int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *

     return CL_SUCCESS;

 }

-int cli_pcre_bcmp_add_opts(const char **opt, struct cli_pcre_bcomp *bcomp) {

-

-    if (!opt || !(*opt) || !bcomp)

-        return CL_ENULLARG;

-

-    size_t len = 0;

-    const char *buf_start = ++(*opt);

-    const char *buf_end = NULL;

-    char *buf = NULL;

-    const char *tokens[3];

-    size_t toks = 0;

-    uint64_t offset_param = 0;

-    size_t byte_length = 0;

-    uint32_t comp_val = 0;

-

-    memset(bcomp, 0, sizeof(struct cli_pcre_bcomp));

-

-

-

-    if (**opt == '(') {

-        if (buf_end = strchr(buf_start, ')')) {

-            len = (size_t) (buf_end - ++buf_start);

-        }

-        else {

-            cli_errmsg("cli_pcre_addbytecomp: ending paren not found\n");

-            return CL_EMALFDB;

-        }

-    }

-    else {

-            cli_errmsg("cli_pcre_addbytecomp: opening paren not found\n");

-            return CL_EMALFDB;

-    }

-

-    buf = cli_strndup(buf_start, len);

-    pm_dbgmsg("buf: %s\n", buf);

-    *opt += len+1;

-    pm_dbgmsg("opt_pos: %c\n", **opt);

-

-    toks = cli_strtokenize(buf, '#', 3+1, tokens);

-    if (3 != toks) {

-        cli_errmsg("cli_pcre_addbytecomp: %zu params provided, 3 expected\n", toks);

-        free(buf);

-        return CL_EMALFDB;

-    }

-

-    buf_end = NULL;

-    offset_param = strtol(tokens[0], (char**) &buf_end, 0);

-    if (buf_end && buf_end+1 != tokens[1]) {

-        cli_errmsg("cli_pcre_addbytecomp: while parsing (%s#%s#%s), offset parameter included invalid characters\n", tokens[0], tokens[1], tokens[2]);

-        free(buf);

-        return CL_EMALFDB;

-    }

-

-    bcomp->offset = offset_param;

-

-    buf_start = tokens[1];

-

-    switch (*buf_start) {

-        case 'h': bcomp->options |= CLI_PCRE_BCOMP_HEX;    break;

-        case 'd': bcomp->options |= CLI_PCRE_BCOMP_DEC;    break;

-

-        default:

-            cli_errmsg("cli_pcre_addbytecomp: while parsing (%s#%s#%s), hex/decimal byte length indicator was found invalid\n", tokens[0], tokens[1], tokens[2]);

-            free(buf);

-            return CL_EMALFDB;

-    }

-

-

-    buf_start++;

-    switch (*buf_start) {

-        case 'l': bcomp->options |= CLI_PCRE_BCOMP_LE;    break;

-        case 'b': bcomp->options |= CLI_PCRE_BCOMP_BE;    break;

-

-        default:

-            cli_errmsg("cli_pcre_addbytecomp: while parsing (%s#%s#%s), little/big endian byte length indicator was invalid\n", tokens[0], tokens[1], tokens[2]);

-            free(buf);

-            return CL_EMALFDB;

-    }

-

-    buf_start++;

-    buf_end = NULL;

-    byte_length = strtol(buf_start, (char **) &buf_end, 0);

-    if (buf_end && buf_end+1 != tokens[2]) {

-        cli_errmsg("cli_pcre_addbytecomp: while parsing (%s#%s#%s), byte length parameter included invalid characters\n", tokens[0], tokens[1], tokens[3]);

-        free(buf);

-        return CL_EMALFDB;

-    }

-

-    bcomp->byte_len = byte_length;

-

-    buf_start = tokens[2];

-    pm_dbgmsg("tokens2: %c\n", *tokens[2]);

-    switch (*buf_start) {

-        case '<':

-        case '>':

-        case '=':

-            bcomp->comp_symbol = *buf_start;    break;

-

-        default:

-            cli_errmsg("cli_pcre_addbytecomp: while parsing (%s#%s#%s), byte comparison symbol was invalid (>, <, = are supported operators)\n", tokens[0], tokens[1], tokens[2]);

-            free(buf);

-            return CL_EMALFDB;

-    }

-

-    buf_start++;

-    buf_end = NULL;

-    comp_val = strtol(buf_start, (char **) &buf_end, 0);

-    if (*buf_end) {

-        cli_errmsg("cli_pcre_addbytecomp: while parsing (%s#%s#%s), comparison value contained invalid input\n", tokens[0], tokens[1], tokens[2]);

-        free(buf);

-        return CL_EMALFDB;

-    }

-

-    bcomp->comp_value = comp_val;

-

-    free(buf);

-    return CL_SUCCESS;

-}

-

 int cli_pcre_build(struct cli_matcher *root, long long unsigned match_limit, long long unsigned recmatch_limit, const struct cli_dconf *dconf)

 {

     unsigned int i;

@@ -738,6 +603,7 @@ int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **

     memset(&p_res, 0, sizeof(p_res));

     for (i = 0; i < root->pcre_metas; ++i) {

+

         pm = root->pcre_metatable[i];

         pd = &(pm->pdata);

@@ -852,13 +718,15 @@ int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **

                 cli_event_count(p_sigevents, pm->sigmatch_id);

                 /* for logical signature evaluation */

+

                 if (pm->lsigid[0]) {

                     pm_dbgmsg("cli_pcre_scanbuf: assigning lsigcnt[%d][%d], located @ %d\n",

                               pm->lsigid[1], pm->lsigid[2], adjbuffer+p_res.match[0]);

                     ret = lsig_sub_matched(root, mdata, pm->lsigid[1], pm->lsigid[2], adjbuffer+p_res.match[0], 0);

-                    if (ret != CL_SUCCESS)

-                        break;

+                    if (ret != CL_SUCCESS) {

+                            break;

+                    }

                 } else {

                     /* for raw match data - sigtool only */

                     if(res) {

@@ -890,23 +758,18 @@ int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **

             /* move off to the end of the match for next match; offset is relative to adjbuffer

              * NOTE: misses matches starting within the last match; TODO: start from start of last match? */

             offset = p_res.match[1];

-            

-            if(pm->flags & CLI_PCRE_BCOMP) {

-                ret = cli_pcre_bcmp_compare_check(buffer, length, offset, pm);

-                if (ret != CL_SUCCESS) {

-                    break;

-                }

-            }

         } while (global && rc > 0 && offset < adjlength);

         /* handle error code */

-        if (rc < 0 && p_res.err != CL_SUCCESS)

+        if (rc < 0 && p_res.err != CL_SUCCESS) {

             ret = p_res.err;

+        }

         /* jumps out of main loop from 'global' loop */

-        if (ret != CL_SUCCESS)

+        if (ret != CL_SUCCESS) {

             break;

+        }

     }

     /* free match results */

@@ -917,97 +780,6 @@ int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **

     return ret;

 }

-int cli_pcre_bcmp_compare_check(const unsigned char *buffer, uint32_t length, int offset, struct cli_pcre_meta *pm)

-{

-    if (!buffer || !pm) {

-        return CL_ENULLARG;

-    }

-

-    const uint32_t byte_len = pm->bcmp_data.byte_len;

-    unsigned char* conversion_buf[byte_len+1];

-    char opt = (char) pm->bcmp_data.options;