@@ -446,6 +446,8 @@ libclamav_la_SOURCES = \

 	yara_grammar.y \

 	yara_lexer.l \

 	yara_lexer.h \

+	yara_parser.c \

+	yara_parser.h \

 	yara_clam.h

 libclamav_la_SOURCES += bignum.h\

@@ -240,13 +240,13 @@ am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \

 	libclamav_la-www.lo libclamav_la-stats_json.lo \

 	libclamav_la-hostid.lo libclamav_la-openioc.lo \

 	libclamav_la-yara_grammar.lo libclamav_la-yara_lexer.lo \

-	libclamav_la-fp_add.lo libclamav_la-fp_add_d.lo \

-	libclamav_la-fp_addmod.lo libclamav_la-fp_cmp.lo \

-	libclamav_la-fp_cmp_d.lo libclamav_la-fp_cmp_mag.lo \

-	libclamav_la-fp_sub.lo libclamav_la-fp_sub_d.lo \

-	libclamav_la-fp_submod.lo libclamav_la-s_fp_add.lo \

-	libclamav_la-s_fp_sub.lo libclamav_la-fp_radix_size.lo \

-	libclamav_la-fp_read_radix.lo \

+	libclamav_la-yara_parser.lo libclamav_la-fp_add.lo \

+	libclamav_la-fp_add_d.lo libclamav_la-fp_addmod.lo \

+	libclamav_la-fp_cmp.lo libclamav_la-fp_cmp_d.lo \

+	libclamav_la-fp_cmp_mag.lo libclamav_la-fp_sub.lo \

+	libclamav_la-fp_sub_d.lo libclamav_la-fp_submod.lo \

+	libclamav_la-s_fp_add.lo libclamav_la-s_fp_sub.lo \

+	libclamav_la-fp_radix_size.lo libclamav_la-fp_read_radix.lo \

 	libclamav_la-fp_read_signed_bin.lo \

 	libclamav_la-fp_read_unsigned_bin.lo \

 	libclamav_la-fp_reverse.lo libclamav_la-fp_s_rmap.lo \

@@ -828,10 +828,11 @@ libclamav_la_SOURCES = matcher-ac.c matcher-ac.h matcher-bm.c \

 	iso9660.h arc4.c arc4.h rijndael.c rijndael.h crtmgr.c \

 	crtmgr.h asn1.c asn1.h fpu.c fpu.h stats.c stats.h www.c www.h \

 	stats_json.c stats_json.h hostid.c hostid.h openioc.c \

-	openioc.h yara_grammar.y yara_lexer.l yara_lexer.h yara_clam.h \

-	bignum.h bignum_fast.h tomsfastmath/addsub/fp_add.c \

-	tomsfastmath/addsub/fp_add_d.c tomsfastmath/addsub/fp_addmod.c \

-	tomsfastmath/addsub/fp_cmp.c tomsfastmath/addsub/fp_cmp_d.c \

+	openioc.h yara_grammar.y yara_lexer.l yara_lexer.h \

+	yara_parser.c yara_parser.h yara_clam.h bignum.h bignum_fast.h \

+	tomsfastmath/addsub/fp_add.c tomsfastmath/addsub/fp_add_d.c \

+	tomsfastmath/addsub/fp_addmod.c tomsfastmath/addsub/fp_cmp.c \

+	tomsfastmath/addsub/fp_cmp_d.c \

 	tomsfastmath/addsub/fp_cmp_mag.c tomsfastmath/addsub/fp_sub.c \

 	tomsfastmath/addsub/fp_sub_d.c tomsfastmath/addsub/fp_submod.c \

 	tomsfastmath/addsub/s_fp_add.c tomsfastmath/addsub/s_fp_sub.c \

@@ -1236,6 +1237,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-xz_iface.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yara_grammar.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yara_lexer.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yara_parser.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yc.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_nocxx_la-bytecode_nojit.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unrar.Plo@am__quote@

@@ -2242,6 +2244,13 @@ libclamav_la-yara_lexer.lo: yara_lexer.c

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-yara_lexer.lo `test -f 'yara_lexer.c' || echo '$(srcdir)/'`yara_lexer.c

+libclamav_la-yara_parser.lo: yara_parser.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-yara_parser.lo -MD -MP -MF $(DEPDIR)/libclamav_la-yara_parser.Tpo -c -o libclamav_la-yara_parser.lo `test -f 'yara_parser.c' || echo '$(srcdir)/'`yara_parser.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-yara_parser.Tpo $(DEPDIR)/libclamav_la-yara_parser.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='yara_parser.c' object='libclamav_la-yara_parser.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-yara_parser.lo `test -f 'yara_parser.c' || echo '$(srcdir)/'`yara_parser.c

+

 libclamav_la-fp_add.lo: tomsfastmath/addsub/fp_add.c

 @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-fp_add.lo -MD -MP -MF $(DEPDIR)/libclamav_la-fp_add.Tpo -c -o libclamav_la-fp_add.lo `test -f 'tomsfastmath/addsub/fp_add.c' || echo '$(srcdir)/'`tomsfastmath/addsub/fp_add.c

 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-fp_add.Tpo $(DEPDIR)/libclamav_la-fp_add.Plo

@@ -2630,15 +2630,34 @@ static int cli_loadyara(FILE *fs, const char *dbname, struct cl_engine *engine,

     char * current_condition = NULL;

     int rc = CL_SUCCESS;

     uint32_t line = 0;

-    uint32_t rule = 0;

     uint8_t is_comment;

     uint8_t rule_state;

     YR_COMPILER compiler;

+    YR_RULE * rule;

+    YR_STRING * string;

-    cli_errmsg("Loading yara signatures\n");

+    compiler.last_result = ERROR_SUCCESS;

+    STAILQ_INIT(&compiler.rules);

+    STAILQ_INIT(&compiler.current_rule_strings);

+

+    //    cli_errmsg("Loading yara signatures\n");

 #if 0 /* for compilation */

     yr_lex_parse_rules_file(fs, &compiler);

 #endif

+    while (!STAILQ_EMPTY(&compiler.rules)) {

+        rule = STAILQ_FIRST(&compiler.rules);

+        STAILQ_REMOVE(&compiler.rules, rule, _yc_rule, link);

+        printf ("rule: %s+++++++++\n", rule->id);

+        while (!STAILQ_EMPTY(&rule->strings)) {

+            string = STAILQ_FIRST(&rule->strings);

+            STAILQ_REMOVE(&rule->strings, string, _yc_string, link);

+            printf ("    %s = \"%s\"\n", string->id, string->string);

+            free(string->id);

+            free(string);            

+        }

+        free(rule->id);

+        free(rule);

+    }

     return rc;

 }

 #endif

@@ -40,6 +40,8 @@ limitations under the License.

 #ifndef _YARA_CLAM_H_

 #define _YARA_CLAM_H_

+#include "shared/queue.h"

+ 

 #define LEX_BUF_SIZE  1024

 #define EXTERNAL_VARIABLE_TYPE_NULL          0

@@ -241,6 +243,7 @@ typedef struct _YR_META

 } YR_META;

+#if REAL_YARA

 typedef struct _YR_STRING

 {

   int32_t g_flags;

@@ -257,6 +260,7 @@ typedef struct _YR_STRING

     //  YR_MATCHES unconfirmed_matches[MAX_THREADS];

 } YR_STRING;

+#endif

 typedef struct _YR_EXTERNAL_VARIABLE

 {

@@ -318,13 +322,34 @@ struct RE {

 #define xtoi cli_hex2num

 #define strlcpy cli_strlcpy

+struct _yc_rule {

+    STAILQ_ENTRY(_yc_rule) link;

+    STAILQ_HEAD(sq, _yc_string) strings;

+    char * id;

+};

+typedef struct _yc_rule yc_rule;

+typedef struct _yc_string {

+    STAILQ_ENTRY(_yc_string) link;

+    char * id;

+    int32_t g_flags;

+    int32_t length;

+    

+    char* identifier;

+    uint8_t* string;

+} yc_string;

+

 typedef struct _yc_compiler {

   char                lex_buf[LEX_BUF_SIZE];

   char*               lex_buf_ptr;

   unsigned short      lex_buf_len;

+  int last_result;

+  STAILQ_HEAD(rq, _yc_rule) rules;

+  STAILQ_HEAD(cs, _yc_string) current_rule_strings;

 } yc_compiler;

-#define YR_COMPILER yc_compiler

+typedef yc_compiler YR_COMPILER;

+typedef yc_rule YR_RULE;

+typedef yc_string YR_STRING;

 #endif

@@ -59,6 +59,9 @@ limitations under the License.

 #define YYDEBUG 1 /* Set for development testing */

 #include "libclamav/yara_clam.h"

 #include "clamav-config.h"

+#include "libclamav/yara_grammar.h"

+#include "libclamav/yara_lexer.h"

+#include "libclamav/yara_parser.h"

 #endif

 #define YYERROR_VERBOSE

@@ -247,7 +250,6 @@ import

 rule

     : rule_modifiers _RULE_ _IDENTIFIER_ tags '{' meta strings condition '}'

       {

-#ifdef REAL_YARA

         int result = yr_parser_reduce_rule_declaration(

             yyscanner,

             $1,

@@ -259,10 +261,6 @@ rule

         yr_free($3);

         ERROR_IF(result != ERROR_SUCCESS);

-#else

-        cli_errmsg("parsing rule %s %s %s %s %s\n",

-                   $1,  $3, $4,  $6, $7 );

-#endif

       }

     ;

@@ -270,9 +268,7 @@ rule

 meta

     : /* empty */

       {

-          //#ifdef REAL_YARA

         $$ = NULL;

-        //#endif

       }

     | _META_ ':' meta_declarations

       {

@@ -518,7 +514,6 @@ string_declarations

 string_declaration

     : _STRING_IDENTIFIER_ '=' _TEXT_STRING_ string_modifiers

       {

-#ifdef REAL_YARA

         $$ = yr_parser_reduce_string_declaration(

             yyscanner,

             $4,

@@ -529,9 +524,6 @@ string_declaration

         yr_free($3);

         ERROR_IF($$ == NULL);

-#else

-        cli_errmsg("String delaration %s = %s, %s\n", $1, $3, $4);

-#endif

       }

     | _STRING_IDENTIFIER_ '='

       {

@@ -541,7 +533,6 @@ string_declaration

       }

       _REGEXP_ string_modifiers

       {

-#ifdef REAL_YARA

         $$ = yr_parser_reduce_string_declaration(

             yyscanner,

             $5 | STRING_GFLAGS_REGEXP,

@@ -552,11 +543,9 @@ string_declaration

         yr_free($4);

         ERROR_IF($$ == NULL);

-#endif

       }

     | _STRING_IDENTIFIER_ '=' _HEX_STRING_

       {

-#ifdef REAL_YARA

         $$ = yr_parser_reduce_string_declaration(

             yyscanner,

             STRING_GFLAGS_HEXADECIMAL,

@@ -567,7 +556,6 @@ string_declaration

         yr_free($3);

         ERROR_IF($$ == NULL);

-#endif

       }

     ;

@@ -296,6 +296,12 @@ include[ \t]+\"         {

     yyterminate();

   }

 #endif

+  yypop_buffer_state(yyscanner);

+

+  if (!YY_CURRENT_BUFFER)

+  {

+    yyterminate();

+  }

 }

new file mode 100644

@@ -0,0 +1,988 @@

+/*

+ * YARA parser for ClamAV: back-end functions

+ * 

+ * Copyright (C) 2014 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ * 

+ * Authors: Steven Morgan

+ * 

+ * This program is free software; you can redistribute it and/or modify it under

+ * the terms of the GNU General Public License version 2 as published by the

+ * Free Software Foundation.

+ * 

+ * This program is distributed in the hope that it will be useful, but WITHOUT

+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for

+ * more details.

+ * 

+ * You should have received a copy of the GNU General Public License along with

+ * this program; if not, write to the Free Software Foundation, Inc., 51

+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

+ */

+    /*

+Copyright (c) 2013. The YARA Authors. All Rights Reserved.

+

+Licensed under the Apache License, Version 2.0 (the "License");

+you may not use this file except in compliance with the License.

+You may obtain a copy of the License at

+

+   http://www.apache.org/licenses/LICENSE-2.0

+

+Unless required by applicable law or agreed to in writing, software

+distributed under the License is distributed on an "AS IS" BASIS,

+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+See the License for the specific language governing permissions and

+limitations under the License.

+*/

+

+#include <stddef.h>

+#include <string.h>

+

+

+#ifdef REAL_YARA

+#include <yara/ahocorasick.h>

+#include <yara/arena.h>

+#include <yara/re.h>

+#include <yara/error.h>

+#include <yara/exec.h>

+#include <yara/object.h>

+#include <yara/utils.h>

+#include <yara/modules.h>

+#include <yara/parser.h>

+#include <yara/mem.h>

+#else

+#include <stdint.h>

+#include <stdio.h>

+#include "yara_clam.h"

+#include "yara_grammar.h"

+#include "yara_lexer.h"

+#include "others.h"

+#endif

+

+#define todigit(x)  ((x) >='A'&& (x) <='F')? \

+                    ((uint8_t) (x - 'A' + 10)) : \

+                    ((uint8_t) (x - '0'))

+

+

+#ifdef REAL_YARA

+int yr_parser_emit(

+    yyscan_t yyscanner,

+    int8_t instruction,

+    int8_t** instruction_address)

+{

+  return yr_arena_write_data(

+      yyget_extra(yyscanner)->code_arena,

+      &instruction,

+      sizeof(int8_t),

+      (void**) instruction_address);

+}

+

+

+int yr_parser_emit_with_arg(

+    yyscan_t yyscanner,

+    int8_t instruction,

+    int64_t argument,

+    int8_t** instruction_address)

+{

+  int result = yr_arena_write_data(

+      yyget_extra(yyscanner)->code_arena,

+      &instruction,

+      sizeof(int8_t),

+      (void**) instruction_address);

+

+  if (result == ERROR_SUCCESS)

+    result = yr_arena_write_data(

+        yyget_extra(yyscanner)->code_arena,

+        &argument,

+        sizeof(int64_t),

+        NULL);

+

+  return result;

+}

+

+

+int yr_parser_emit_with_arg_reloc(

+    yyscan_t yyscanner,

+    int8_t instruction,

+    int64_t argument,

+    int8_t** instruction_address)

+{

+  void* ptr;

+

+  int result = yr_arena_write_data(

+      yyget_extra(yyscanner)->code_arena,

+      &instruction,

+      sizeof(int8_t),

+      (void**) instruction_address);

+

+  if (result == ERROR_SUCCESS)

+    result = yr_arena_write_data(

+        yyget_extra(yyscanner)->code_arena,

+        &argument,

+        sizeof(int64_t),

+        &ptr);

+

+  if (result == ERROR_SUCCESS)

+    result = yr_arena_make_relocatable(

+        yyget_extra(yyscanner)->code_arena,

+        ptr,

+        0,

+        EOL);

+

+  return result;

+}

+

+

+int yr_parser_emit_pushes_for_strings(

+    yyscan_t yyscanner,

+    const char* identifier)

+{

+  YR_COMPILER* compiler = yyget_extra(yyscanner);

+  YR_STRING* string = compiler->current_rule_strings;

+

+  const char* string_identifier;

+  const char* target_identifier;

+

+  int matching = 0;

+

+  while(!STRING_IS_NULL(string))

+  {

+    // Don't generate pushes for strings chained to another one, we are

+    // only interested in non-chained strings or the head of the chain.

+

+    if (string->chained_to == NULL)

+    {

+      string_identifier = string->identifier;

+      target_identifier = identifier;

+

+      while (*target_identifier != '\0' &&

+             *string_identifier != '\0' &&

+             *target_identifier == *string_identifier)

+      {

+        target_identifier++;

+        string_identifier++;

+      }

+

+      if ((*target_identifier == '\0' && *string_identifier == '\0') ||

+           *target_identifier == '*')

+      {

+        yr_parser_emit_with_arg_reloc(

+            yyscanner,

+            OP_PUSH,

+            PTR_TO_UINT64(string),

+            NULL);

+

+        string->g_flags |= STRING_GFLAGS_REFERENCED;

+        matching++;

+      }

+    }

+

+    string = yr_arena_next_address(

+        compiler->strings_arena,

+        string,

+        sizeof(YR_STRING));

+  }

+

+  if (matching == 0)

+  {

+    yr_compiler_set_error_extra_info(compiler, identifier);

+    compiler->last_result = ERROR_UNDEFINED_STRING;

+  }

+

+  return compiler->last_result;

+}

+

+

+int yr_parser_check_types(

+    YR_COMPILER* compiler,

+    YR_OBJECT_FUNCTION* function,

+    const char* actual_args_fmt)

+{

+  int i;

+

+  char message[MAX_COMPILER_ERROR_EXTRA_INFO];

+

+  const char* expected = function->arguments_fmt;

+  const char* actual = actual_args_fmt;

+

+  i = 0;

+

+  while (*expected != '\0' || *actual != '\0')

+  {

+    i++;

+

+    if (*expected != *actual)

+    {

+      if (*expected == '\0' || *actual == '\0')

+      {

+        snprintf(

+            message,

+            sizeof(message),

+            "wrong number of arguments for \"%s\"",

+            function->identifier);

+

+        compiler->last_result = ERROR_WRONG_NUMBER_OF_ARGUMENTS;

+      }

+      else

+      {

+        snprintf(

+            message,

+            sizeof(message),

+            "wrong type for argument %i of \"%s\"",

+            i,

+            function->identifier);

+

+        compiler->last_result = ERROR_WRONG_TYPE;

+      }

+

+      yr_compiler_set_error_extra_info(compiler, message);

+      break;

+    }

+

+    expected++;

+    actual++;

+  }

+

+  return compiler->last_result;

+}

+

+

+YR_STRING* yr_parser_lookup_string(

+    yyscan_t yyscanner,

+    const char* identifier)

+{

+  YR_STRING* string;

+  YR_COMPILER* compiler = yyget_extra(yyscanner);

+

+  string = compiler->current_rule_strings;

+

+  while(!STRING_IS_NULL(string))

+  {

+    // If some string $a gets fragmented into multiple chained

+    // strings, all those fragments have the same $a identifier

+    // but we are interested in the heading fragment, which is

+    // that with chained_to == NULL

+

+    if (strcmp(string->identifier, identifier) == 0 &&

+        string->chained_to == NULL)

+    {

+      return string;

+    }

+

+    string = yr_arena_next_address(

+        compiler->strings_arena,

+        string,

+        sizeof(YR_STRING));

+  }

+

+  yr_compiler_set_error_extra_info(compiler, identifier);

+  compiler->last_result = ERROR_UNDEFINED_STRING;

+

+  return NULL;

+}

+

+

+int yr_parser_lookup_loop_variable(

+    yyscan_t yyscanner,

+    const char* identifier)

+{

+  YR_COMPILER* compiler = yyget_extra(yyscanner);

+  int i;

+

+  for (i = 0; i < compiler->loop_depth; i++)

+  {

+    if (compiler->loop_identifier[i] != NULL &&

+        strcmp(identifier, compiler->loop_identifier[i]) == 0)

+      return i;

+  }

+

+  return -1;

+}

+

+

+int _yr_parser_write_string(

+    const char* identifier,

+    int flags,

+    YR_COMPILER* compiler,

+    SIZED_STRING* str,

+    RE* re,

+    YR_STRING** string,

+    int* min_atom_length)

+{

+  SIZED_STRING* literal_string;

+  YR_AC_MATCH* new_match;

+

+  YR_ATOM_LIST_ITEM* atom;

+  YR_ATOM_LIST_ITEM* atom_list = NULL;

+

+  int result;

+  int max_string_len;

+  int free_literal = FALSE;

+

+  *string = NULL;

+

+  result = yr_arena_allocate_struct(

+      compiler->strings_arena,

+      sizeof(YR_STRING),

+      (void**) string,

+      offsetof(YR_STRING, identifier),

+      offsetof(YR_STRING, string),

+      offsetof(YR_STRING, chained_to),

+      EOL);

+

+  if (result != ERROR_SUCCESS)

+    return result;

+

+  result = yr_arena_write_string(

+      compiler->sz_arena,

+      identifier,

+      &(*string)->identifier);

+

+  if (result != ERROR_SUCCESS)

+    return result;

+

+  if (flags & STRING_GFLAGS_HEXADECIMAL ||

+      flags & STRING_GFLAGS_REGEXP)

+  {

+    literal_string = yr_re_extract_literal(re);

+

+    if (literal_string != NULL)

+    {

+      flags |= STRING_GFLAGS_LITERAL;

+      free_literal = TRUE;

+    }

+  }

+  else

+  {

+    literal_string = str;

+    flags |= STRING_GFLAGS_LITERAL;

+  }

+

+  (*string)->g_flags = flags;

+  (*string)->chained_to = NULL;

+

+  #ifdef PROFILING_ENABLED

+  (*string)->clock_ticks = 0;

+  #endif

+

+  memset((*string)->matches, 0,

+         sizeof((*string)->matches));

+

+  memset((*string)->unconfirmed_matches, 0,

+         sizeof((*string)->unconfirmed_matches));

+

+  if (flags & STRING_GFLAGS_LITERAL)

+  {

+    (*string)->length = literal_string->length;

+

+    result = yr_arena_write_data(

+        compiler->sz_arena,

+        literal_string->c_string,

+        literal_string->length,

+        (void*) &(*string)->string);

+

+    if (result == ERROR_SUCCESS)

+    {

+      result = yr_atoms_extract_from_string(

+          (uint8_t*) literal_string->c_string,

+          literal_string->length,

+          flags,

+          &atom_list);

+    }

+  }

+  else

+  {

+    result = yr_re_emit_code(re, compiler->re_code_arena);

+

+    if (result == ERROR_SUCCESS)

+      result = yr_atoms_extract_from_re(re, flags, &atom_list);

+  }

+

+  if (result == ERROR_SUCCESS)

+  {

+    // Add the string to Aho-Corasick automaton.

+

+    if (atom_list != NULL)

+    {

+      result = yr_ac_add_string(

+          compiler->automaton_arena,

+          compiler->automaton,

+          *string,

+          atom_list);

+    }

+    else

+    {

+      result = yr_arena_allocate_struct(

+          compiler->automaton_arena,

+          sizeof(YR_AC_MATCH),

+          (void**) &new_match,

+          offsetof(YR_AC_MATCH, string),

+          offsetof(YR_AC_MATCH, forward_code),

+          offsetof(YR_AC_MATCH, backward_code),

+          offsetof(YR_AC_MATCH, next),

+          EOL);

+

+      if (result == ERROR_SUCCESS)

+      {

+        new_match->backtrack = 0;

+        new_match->string = *string;

+        new_match->forward_code = re->root_node->forward_code;

+        new_match->backward_code = NULL;

+        new_match->next = compiler->automaton->root->matches;

+        compiler->automaton->root->matches = new_match;

+      }

+    }

+  }

+

+  atom = atom_list;

+

+  if (atom != NULL)

+    *min_atom_length = MAX_ATOM_LENGTH;

+  else

+    *min_atom_length = 0;

+

+  while (atom != NULL)

+  {

+    if (atom->atom_length < *min_atom_length)

+      *min_atom_length = atom->atom_length;

+    atom = atom->next;

+  }

+

+  if (flags & STRING_GFLAGS_LITERAL)

+  {

+    if (flags & STRING_GFLAGS_WIDE)

+      max_string_len = (*string)->length * 2;

+    else

+      max_string_len = (*string)->length;

+

+    if (max_string_len == *min_atom_length)

+      (*string)->g_flags |= STRING_GFLAGS_FITS_IN_ATOM;

+  }

+

+  if (free_literal)

+    yr_free(literal_string);

+

+  if (atom_list != NULL)

+    yr_atoms_list_destroy(atom_list);

+

+  return result;

+}

+

+#endif

+

+

+#include <stdint.h>

+#include <limits.h>

+

+

+YR_STRING* yr_parser_reduce_string_declaration(

+    yyscan_t yyscanner,

+    int32_t string_flags,

+    const char* identifier,

+    SIZED_STRING* str)

+{

+  int min_atom_length;

+  int min_atom_length_aux;

+  int re_flags = 0;

+

+  int32_t min_gap;

+  int32_t max_gap;

+

+  char message[512];

+

+  YR_COMPILER* compiler = yyget_extra(yyscanner);

+  YR_STRING* string = NULL;

+  YR_STRING* aux_string;

+  YR_STRING* prev_string;

+

+  RE* re = NULL;

+  RE* remainder_re;

+

+#if REAL_YARA

+  RE_ERROR re_error;

+

+  if (str->flags & SIZED_STRING_FLAGS_NO_CASE)

+    string_flags |= STRING_GFLAGS_NO_CASE;

+

+  if (str->flags & SIZED_STRING_FLAGS_DOT_ALL)

+    re_flags |= RE_FLAGS_DOT_ALL;

+

+  if (strcmp(identifier,"$") == 0)

+    string_flags |= STRING_GFLAGS_ANONYMOUS;

+

+  if (!(string_flags & STRING_GFLAGS_WIDE))

+    string_flags |= STRING_GFLAGS_ASCII;

+

+  if (string_flags & STRING_GFLAGS_NO_CASE)

+    re_flags |= RE_FLAGS_NO_CASE;

+#endif

+  // The STRING_GFLAGS_SINGLE_MATCH flag indicates that finding

+  // a single match for the string is enough. This is true in

+  // most cases, except when the string count (#) and string offset (@)

+  // operators are used. All strings are marked STRING_FLAGS_SINGLE_MATCH

+  // initially, and unmarked later if required.

+

+  string_flags |= STRING_GFLAGS_SINGLE_MATCH;

+

+  if (string_flags & STRING_GFLAGS_HEXADECIMAL ||

+      string_flags & STRING_GFLAGS_REGEXP)

+  {

+#if REAL_YARA

+    if (string_flags & STRING_GFLAGS_HEXADECIMAL)

+      compiler->last_result = yr_re_parse_hex(

+          str->c_string, re_flags, &re, &re_error);

+    else

+      compiler->last_result = yr_re_parse(

+          str->c_string, re_flags, &re, &re_error);

+

+    if (compiler->last_result != ERROR_SUCCESS)

+    {

+      snprintf(

+          message,

+          sizeof(message),

+          "invalid %s \"%s\": %s",

+          (string_flags & STRING_GFLAGS_HEXADECIMAL) ?

+              "hex string" : "regular expression",

+          identifier,

+          re_error.message);

+

+      yr_compiler_set_error_extra_info(

+          compiler, message);

+

+      goto _exit;

+    }

+

+    if (re->flags & RE_FLAGS_FAST_HEX_REGEXP)

+      string_flags |= STRING_GFLAGS_FAST_HEX_REGEXP;

+

+    compiler->last_result = yr_re_split_at_chaining_point(

+        re, &re, &remainder_re, &min_gap, &max_gap);

+

+    if (compiler->last_result != ERROR_SUCCESS)

+      goto _exit;

+

+    compiler->last_result = _yr_parser_write_string(

+        identifier,

+        string_flags,

+        compiler,

+        NULL,

+        re,

+        &string,

+        &min_atom_length);

+

+    if (compiler->last_result != ERROR_SUCCESS)

+      goto _exit;

+

+    if (remainder_re != NULL)

+    {

+      string->g_flags |= STRING_GFLAGS_CHAIN_TAIL | STRING_GFLAGS_CHAIN_PART;

+      string->chain_gap_min = min_gap;

+      string->chain_gap_max = max_gap;

+    }

+

+    // Use "aux_string" from now on, we want to keep the value of "string"

+    // because it will returned.

+

+    aux_string = string;

+

+    while (remainder_re != NULL)

+    {

+      // Destroy regexp pointed by 're' before yr_re_split_at_jmp

+      // overwrites 're' with another value.

+

+      yr_re_destroy(re);

+

+      compiler->last_result = yr_re_split_at_chaining_point(

+          remainder_re, &re, &remainder_re, &min_gap, &max_gap);

+

+      if (compiler->last_result != ERROR_SUCCESS)

+        goto _exit;

+

+      prev_string = aux_string;

+

+      compiler->last_result = _yr_parser_write_string(

+          identifier,

+          string_flags,

+          compiler,

+          NULL,

+          re,

+          &aux_string,

+          &min_atom_length_aux);

+

+      if (compiler->last_result != ERROR_SUCCESS)

+        goto _exit;

+

+      if (min_atom_length_aux < min_atom_length)