@@ -1142,9 +1142,23 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs,

             data->lsigcnt[i] = data->lsigcnt[0] + 64 * i;

         /* subsig offsets */

+        data->lsig_matches = (struct cli_lsig_matches **) cli_calloc(lsigs * sizeof(struct cli_lsig_matches *), sizeof(struct cli_lsig_matches *));

+        if(!data->lsig_matches) {

+            free(data->lsigcnt[0]);

+            free(data->lsigcnt);

+            if(partsigs)

+                free(data->offmatrix);

+

+            if(reloffsigs)

+                free(data->offset);

+

+            cli_errmsg("cli_ac_init: Can't allocate memory for data->lsig_matches\n");

+            return CL_EMEM;

+        }

         data->lsigsuboff_last = (uint32_t **) cli_malloc(lsigs * sizeof(uint32_t *));

         data->lsigsuboff_first = (uint32_t **) cli_malloc(lsigs * sizeof(uint32_t *));

         if(!data->lsigsuboff_last || !data->lsigsuboff_first) {

+            free(data->lsig_matches);

             free(data->lsigsuboff_last);

             free(data->lsigsuboff_first);

             free(data->lsigcnt[0]);

@@ -1161,6 +1175,7 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs,

         data->lsigsuboff_last[0] = (uint32_t *) cli_calloc(lsigs * 64, sizeof(uint32_t));

         data->lsigsuboff_first[0] = (uint32_t *) cli_calloc(lsigs * 64, sizeof(uint32_t));

         if(!data->lsigsuboff_last[0] || !data->lsigsuboff_first[0]) {

+            free(data->lsig_matches);

             free(data->lsigsuboff_last[0]);

             free(data->lsigsuboff_first[0]);

             free(data->lsigsuboff_last);

@@ -1225,7 +1240,10 @@ void cli_ac_freedata(struct cli_ac_data *data)

 {

     uint32_t i;

-    if(data && data->partsigs) {

+    if (!data)

+        return;

+

+    if(data->partsigs) {

         for(i = 0; i < data->partsigs; i++) {

             if(data->offmatrix[i]) {

                 free(data->offmatrix[i][0]);

@@ -1237,7 +1255,25 @@ void cli_ac_freedata(struct cli_ac_data *data)

         data->partsigs = 0;

     }

-    if(data && data->lsigs) {

+    if(data->lsigs) {

+        if (data->lsig_matches) {

+            for (i = 0; i < data->lsigs; i++) {

+                struct cli_lsig_matches * ls_matches;

+                if ((ls_matches = data->lsig_matches[i])) {

+                    uint32_t j;

+                    for (j = 0; j < ls_matches->subsigs; j++) {

+                        if (ls_matches->matches[j]) {

+                            free(ls_matches->matches[j]);

+                            ls_matches->matches[j] = 0;

+                        }

+                    }

+                    free(data->lsig_matches[i]);

+                    data->lsig_matches[i] = 0;

+                }

+            }

+            free(data->lsig_matches);

+            data->lsig_matches = 0;

+        }

         free(data->lsigcnt[0]);

         free(data->lsigcnt);

         free(data->lsigsuboff_last[0]);

@@ -1247,7 +1283,7 @@ void cli_ac_freedata(struct cli_ac_data *data)

         data->lsigs = 0;

     }

-    if(data && data->reloffsigs) {

+    if(data->reloffsigs) {

         free(data->offset);

         data->reloffsigs = 0;

     }

@@ -1287,22 +1323,62 @@ inline static int ac_addtype(struct cli_matched_type **list, cli_file_t type, of

     return CL_SUCCESS;

 }

-void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial)

+int lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial)

 {

-    const struct cli_lsig_tdb *tdb = &root->ac_lsigtable[lsigid1]->tdb;

+    const struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsigid1];

+    const struct cli_lsig_tdb *tdb = &ac_lsig->tdb;

     if(realoff != CLI_OFF_NONE) {

         if(mdata->lsigsuboff_first[lsigid1][lsigid2] == CLI_OFF_NONE)

             mdata->lsigsuboff_first[lsigid1][lsigid2] = realoff;

         if(mdata->lsigsuboff_last[lsigid1][lsigid2] != CLI_OFF_NONE && ((!partial && realoff <= mdata->lsigsuboff_last[lsigid1][lsigid2]) || (partial && realoff < mdata->lsigsuboff_last[lsigid1][lsigid2])))

-            return;

+            return CL_SUCCESS;

         mdata->lsigcnt[lsigid1][lsigid2]++;

         if(mdata->lsigcnt[lsigid1][lsigid2] <= 1 || !tdb->macro_ptids || !tdb->macro_ptids[lsigid2])

             mdata->lsigsuboff_last[lsigid1][lsigid2] = realoff;

     }

+    if (ac_lsig->type & CLI_YARA_OFFSET && realoff != CLI_OFF_NONE) {

+        uint32_t * offs;

+        struct cli_subsig_matches * ss_matches;

+        struct cli_lsig_matches * ls_matches;

+        cli_dbgmsg("lsig_sub_matched lsig %u:%u at %u\n", lsigid1, lsigid2, realoff);

+

+        ls_matches = mdata->lsig_matches[lsigid1];

+        if (ls_matches == NULL) { /* allocate cli_lsig_matches */

+            ls_matches = mdata->lsig_matches[lsigid1] = (struct cli_lsig_matches *)cli_calloc(1, sizeof(struct cli_lsig_matches) +

+                                                                                              (ac_lsig->tdb.subsigs - 1) * sizeof(struct cli_subsig_matches *));

+            if (ls_matches == NULL) {

+                cli_errmsg("lsig_sub_matched: cli_calloc failed for cli_lsig_matches\n");

+                return CL_EMEM;

+            }

+            ls_matches->subsigs = ac_lsig->tdb.subsigs;

+        }

+        ss_matches = ls_matches->matches[lsigid2];

+        if (ss_matches == NULL) { /*  allocate cli_subsig_matches */

+            ss_matches = ls_matches->matches[lsigid2] = cli_malloc(sizeof(struct cli_subsig_matches));

+            if (ss_matches == NULL) {

+                cli_errmsg("lsig_sub_matched: cli_malloc failed for cli_subsig_matches struct\n");

+                return CL_EMEM;

+            }

+            ss_matches->next = 0;

+            ss_matches->last = sizeof(ss_matches->offsets) / sizeof(uint32_t) - 1; 

+        }

+        if (ss_matches->next > ss_matches->last) {  /* cli_matches out of space? realloc */

+            ss_matches = ls_matches->matches[lsigid2] = cli_realloc(ss_matches, sizeof(struct cli_subsig_matches) + sizeof(uint32_t) * ss_matches->last * 2);

+            if (ss_matches == NULL) {

+                cli_errmsg("lsig_sub_matched: cli_realloc failed for cli_subsig_matches struct\n");

+                return CL_EMEM;

+            }

+            ss_matches->last = sizeof(ss_matches->offsets)/ sizeof(uint32_t) + ss_matches->last * 2 - 1;

+        }

+        

+        ss_matches->offsets[ss_matches->next] = realoff; /* finally, store the offset */

+        ss_matches->next++;

+    }

+

     if (mdata->lsigcnt[lsigid1][lsigid2] > 1) {

         /* Check that the previous match had a macro match following it at the 

          * correct distance. This check is only done after the 1st match.*/

@@ -1310,11 +1386,11 @@ void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata,

         uint32_t id, last_macro_match, smin, smax, last_macroprev_match;

         if (!tdb->macro_ptids)

-            return;

+            return CL_SUCCESS;

         id = tdb->macro_ptids[lsigid2];

         if (!id)

-            return;

+            return CL_SUCCESS;

         macropt = root->ac_pattable[id];

         smin = macropt->ch_mindist[0];

@@ -1340,17 +1416,23 @@ void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata,

             mdata->lsigsuboff_last[lsigid1][lsigid2+1] = last_macro_match;

         }

     }

+    return CL_SUCCESS;

 }

-void cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsigid1)

+int cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsigid1)

 {

     const struct cli_lsig_tdb *tdb = &root->ac_lsigtable[lsigid1]->tdb;

     unsigned i;

+    int rc;

+

     /* Loop through all subsigs, and if they are tied to macros check that the

      * macro matched at a correct distance */

     for (i=0;i<tdb->subsigs;i++) {

-        lsig_sub_matched(root, data, lsigid1, i, CLI_OFF_NONE, 0);

+        rc = lsig_sub_matched(root, data, lsigid1, i, CLI_OFF_NONE, 0);

+        if (rc != CL_SUCCESS)

+            return rc;

     }

+    return CL_SUCCESS;

 }

@@ -1365,6 +1447,7 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

     int32_t **offmatrix, swp;

     int type = CL_CLEAN;

     struct cli_ac_result *newres;

+    int rc;

     if(!root->ac_root)

         return CL_CLEAN;

@@ -1547,7 +1630,9 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

                                 } else { /* !pt->type */

                                     if(pt->lsigid[0]) {

-                                        lsig_sub_matched(root, mdata, pt->lsigid[1], pt->lsigid[2], offmatrix[pt->parts - 1][1], 1);

+                                        rc = lsig_sub_matched(root, mdata, pt->lsigid[1], pt->lsigid[2], offmatrix[pt->parts - 1][1], 1);

+                                        if (rc != CL_SUCCESS)

+                                            return rc;

                                         ptN = ptN->next_same;

                                         continue;

                                     }

@@ -1599,8 +1684,10 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

                                     }

                                 }

                             } else {

-                            if(pt->lsigid[0]) {

-                                    lsig_sub_matched(root, mdata, pt->lsigid[1], pt->lsigid[2], realoff, 0);

+                                if(pt->lsigid[0]) {

+                                    rc = lsig_sub_matched(root, mdata, pt->lsigid[1], pt->lsigid[2], realoff, 0);

+                                    if (rc != CL_SUCCESS)

+                                        return rc;

                                     ptN = ptN->next_same;

                                     continue;

                                 }

@@ -43,11 +43,23 @@

 #define ACPATT_OPTION_ONCE     0x80

+struct cli_subsig_matches {

+    uint32_t last;

+    uint32_t next;

+    uint32_t offsets[16]; /* offsets[] is variable length */

+};

+

+struct cli_lsig_matches {

+    uint32_t subsigs;

+    struct cli_subsig_matches * matches[1]; /* matches[] is variable length */ 

+};

+

 struct cli_ac_data {

     int32_t ***offmatrix;

     uint32_t partsigs, lsigs, reloffsigs;

     uint32_t **lsigcnt;

     uint32_t **lsigsuboff_last, **lsigsuboff_first;

+    struct cli_lsig_matches **lsig_matches;

     uint32_t *offset;

     uint32_t macro_lastmatch[32];

     /** Hashset for versioninfo matching */

@@ -105,8 +117,8 @@ struct cli_ac_result {

 int cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern);

 int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs, uint32_t reloffsigs, uint8_t tracklen);

-void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial);

-void cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsigid1);

+int lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial);

+int cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsigid1);

 int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigned int *cnt, uint64_t *ids, unsigned int parse_only);

 void cli_ac_freedata(struct cli_ac_data *data);

 int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, void **customdata, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t offset, cli_file_t ftype, struct cli_matched_type **ftoffset, unsigned int mode, cli_ctx *ctx);

@@ -695,8 +695,11 @@ static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data

     struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid];

     char * exp = ac_lsig->u.logic;

     char* exp_end = exp + strlen(exp);

+    int rc;

-    cli_ac_chkmacro(root, acdata, lsid);

+    rc = cli_ac_chkmacro(root, acdata, lsid);

+    if (rc != CL_SUCCESS)

+        return rc;

     if (cli_ac_chklsig(exp, exp_end, acdata->lsigcnt[lsid], &evalcnt, &evalids, 0) == 1) {

         if(ac_lsig->tdb.container && ac_lsig->tdb.container[0] != ctx->container_type)

             return CL_CLEAN;

@@ -778,9 +781,9 @@ int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acd

     int32_t rc;

     for(i = 0; i < root->ac_lsigs; i++) {

-        if (root->ac_lsigtable[i]->type == CLI_NORMAL_LSIG)

+        if (root->ac_lsigtable[i]->type == CLI_LSIG_NORMAL)

             rc = lsig_eval(ctx, root, acdata, target_info, hash, i);

-        else if (root->ac_lsigtable[i]->type == CLI_NORMAL_YARA)

+        else if (root->ac_lsigtable[i]->type == CLI_YARA_NORMAL || root->ac_lsigtable[i]->type == CLI_YARA_OFFSET)

             rc = yara_eval(ctx, root, acdata, target_info, hash, i);

         if (rc == CL_VIRUS) {

             viruses_found = 1;

@@ -79,8 +79,9 @@ struct cli_lsig_tdb {

 struct cli_bc;

 struct cli_ac_lsig {

-#define CLI_NORMAL_LSIG 0

-#define CLI_NORMAL_YARA 1

+#define CLI_LSIG_NORMAL 0

+#define CLI_YARA_NORMAL 1

+#define CLI_YARA_OFFSET 2

     uint32_t id;

     unsigned bc_idx;

     uint8_t type;

@@ -1677,7 +1677,7 @@ static int load_oneldb(char *buffer, int chkpua, struct cl_engine *engine, unsig

         return CL_EMEM;

     }

-    lsig->type = CLI_NORMAL_LSIG;

+    lsig->type = CLI_LSIG_NORMAL;

     lsig->u.logic = cli_mpool_strdup(engine->mempool, logic);

     if(!lsig->u.logic) {

         cli_errmsg("cli_loadldb: Can't allocate memory for lsig->logic\n");

@@ -3482,7 +3482,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

     /*** conditional verification step (ex. do we define too many strings versus used?)  ***/

     /*** additional string table population (ex. offsets), second translation table pass ***/

 #if 0

-    if (rule->g_flags & RULE_ALL ||  rule->g_flags & RULE_ANY) {

+    if (rule->cl_flags & RULE_ALL ||  rule->cl_flags & RULE_ANY) {

         lsize = 3*ytable.tbl_cnt;

         logic = cli_calloc(lsize, sizeof(char));

         if (!logic) {

@@ -3491,12 +3491,12 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

             return CL_EMEM;

         }

-        if (rule->g_flags & RULE_ALL && rule->g_flags & RULE_THEM)

+        if (rule->cl_flags & RULE_ALL && rule->cl_flags & RULE_THEM)

             exp_op = "&";

         else {

             exp_op = "|";

-            if ((!(rule->g_flags & RULE_ANY && rule->g_flags & RULE_THEM) && ytable.tbl_cnt > 1) &&

-                !(rule->g_flags & RULE_EP && ytable.tbl_cnt == 1))

+            if ((!(rule->cl_flags & RULE_ANY && rule->cl_flags & RULE_THEM) && ytable.tbl_cnt > 1) &&

+                !(rule->cl_flags & RULE_EP && ytable.tbl_cnt == 1))

                 yara_complex++;

         }

@@ -3507,12 +3507,12 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

         /*** END CONDITIONAL HANDLING ***/

     }

-#endif

     /* TDB */

-    if (rule->g_flags & RULE_EP && ytable.tbl_cnt == 1)

+    if (rule->cl_flags & RULE_EP && ytable.tbl_cnt == 1)

         target_str = cli_strdup(YARATARGET1);

     else

+#endif

         target_str = cli_strdup(YARATARGET0);

     memset(&tdb, 0, sizeof(tdb));

@@ -3542,7 +3542,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

     if (logic) {

         cli_yaramsg("normal lsig triggered yara: %s\n", logic);

-        lsig->type = CLI_NORMAL_LSIG;

+        lsig->type = CLI_LSIG_NORMAL;

         lsig->u.logic = cli_mpool_strdup(engine->mempool, logic);

         free(logic);

         if(!lsig->u.logic) {

@@ -3554,7 +3554,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op

         }

     } else {

         if (NULL != (lsig->u.code_start = rule->code_start)) {

-        lsig->type = CLI_NORMAL_YARA;

+            lsig->type = (rule->cl_flags & RULE_OFFSETS) ? CLI_YARA_OFFSET : CLI_YARA_NORMAL;

         } else {

             cli_errmsg("load_oneyara: code start is NULL\n");

             FREE_TDB(tdb);

@@ -4406,9 +4406,10 @@ int cl_engine_free(struct cl_engine *engine)

 		cli_ac_free(root);

 		if(root->ac_lsigtable) {

 		    for(j = 0; j < root->ac_lsigs; j++) {

-			if (root->ac_lsigtable[j]->type == CLI_NORMAL_LSIG)

+			if (root->ac_lsigtable[j]->type == CLI_LSIG_NORMAL)

 			    mpool_free(engine->mempool, root->ac_lsigtable[j]->u.logic);

-			else if (root->ac_lsigtable[j]->type == CLI_NORMAL_YARA)

+			else if (root->ac_lsigtable[j]->type == CLI_YARA_NORMAL ||

+                                 root->ac_lsigtable[j]->type == CLI_YARA_NORMAL)

 			    free(root->ac_lsigtable[j]->u.code_start);

 			FREE_TDB(root->ac_lsigtable[j]->tdb);

 			mpool_free(engine->mempool, root->ac_lsigtable[j]);

@@ -518,11 +518,12 @@ struct RE {

 #define YARA_PROTO

 #ifdef YARA_PROTO

-#define RULE_ANY  1

-#define RULE_ALL  2

-#define RULE_ONE  4

-#define RULE_THEM 8

-#define RULE_EP   16

+#define RULE_ANY        1

+#define RULE_ALL        2

+#define RULE_ONE        4

+#define RULE_THEM       8

+#define RULE_EP         16

+#define RULE_OFFSETS    32

 #endif

 /* YARA to ClamAV function mappings */

@@ -540,6 +541,7 @@ struct _yc_rule {

     STAILQ_HEAD(sq, _yc_string) strings;

     char * identifier;

     uint32_t g_flags;

+    uint32_t cl_flags;

     uint8_t * code_start;

 };

 typedef struct _yc_rule yc_rule;

@@ -572,6 +574,7 @@ typedef struct _yc_compiler {

     YR_NAMESPACE*       current_namespace;

     yc_string*          current_rule_strings;

     uint32_t            current_rule_flags;

+    uint32_t            current_rule_clflags;

     int8_t*             loop_address[MAX_LOOP_NESTING];

     char*               loop_identifier[MAX_LOOP_NESTING];

@@ -49,6 +49,7 @@ typedef struct _YR_MATCH

 // End of temp for clamAV

 #include "matcher.h"

+#include "matcher-ac.h"

 #include "yara_clam.h"

 #include "yara_exec.h"

 #endif

@@ -124,6 +125,9 @@ int yr_execute_code(

   uint8_t* ip = aclsig->u.code_start;

   uint32_t lsig_id;

   uint32_t rule_matches = 0;

+  struct cli_lsig_matches * ls_matches;

+  struct cli_subsig_matches * ss_matches;

+  uint32_t * offs;

 #endif

   YR_RULE* rule;

@@ -572,6 +576,7 @@ int yr_execute_code(

         found = 0;

+#if REAL_YARA

         while (match != NULL)

         {

           if (r1 == match->base + match->offset)

@@ -586,7 +591,22 @@ int yr_execute_code(

           match = match->next;

         }

-

+#else

+        ls_matches = acdata->lsig_matches[aclsig->id];

+        if (ls_matches != NULL) {

+            ss_matches = ls_matches->matches[string->subsig_id];

+            if (ss_matches != NULL) {

+                offs = ss_matches->offsets;

+                for (i = 0; i < ss_matches->next; i++) {

+                    if (offs[i] == r1) {

+                        push(1);

+                        found = 1;

+                        break;

+                    }

+                }

+            }

+        }

+#endif

         if (!found)

           push(0);

@@ -659,13 +659,13 @@ static const yytype_uint16 yyrline[] =

      373,   390,   429,   430,   435,   451,   464,   477,   494,   495,

      500,   514,   513,   530,   547,   548,   553,   554,   555,   556,

      561,   646,   696,   719,   759,   762,   784,   817,   864,   882,

-     891,   900,   915,   929,   942,   957,   971,  1005,   970,  1116,

-    1115,  1191,  1197,  1203,  1209,  1217,  1226,  1235,  1244,  1253,

-    1280,  1307,  1334,  1338,  1346,  1347,  1352,  1374,  1386,  1402,

-    1401,  1407,  1419,  1420,  1425,  1430,  1439,  1440,  1447,  1458,

-    1462,  1471,  1486,  1497,  1508,  1519,  1530,  1541,  1552,  1561,

-    1586,  1599,  1612,  1632,  1667,  1676,  1685,  1694,  1703,  1712,

-    1721,  1730,  1739,  1747,  1756,  1765

+     891,   900,   915,   929,   942,   959,   973,  1007,   972,  1118,

+    1117,  1193,  1199,  1205,  1211,  1219,  1228,  1237,  1246,  1255,

+    1282,  1309,  1336,  1340,  1348,  1349,  1354,  1376,  1388,  1404,

+    1403,  1409,  1421,  1422,  1427,  1432,  1441,  1442,  1449,  1460,

+    1464,  1473,  1488,  1499,  1510,  1521,  1532,  1543,  1554,  1563,

+    1588,  1601,  1614,  1634,  1669,  1678,  1687,  1696,  1705,  1714,

+    1723,  1732,  1741,  1749,  1758,  1767

 };

 #endif

@@ -2751,6 +2751,8 @@ yyreduce:

     {

         CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "at");

+        compiler->current_rule_clflags |= RULE_OFFSETS;

+

         compiler->last_result = yr_parser_reduce_string_identifier(

             yyscanner,

             (yyvsp[(1) - (3)].c_string),

@@ -2767,7 +2769,7 @@ yyreduce:

   case 55:

 /* Line 1806 of yacc.c  */

-#line 958 "yara_grammar.y"

+#line 960 "yara_grammar.y"

     {

         compiler->last_result = yr_parser_reduce_string_identifier(

             yyscanner,

@@ -2785,7 +2787,7 @@ yyreduce:

   case 56:

 /* Line 1806 of yacc.c  */

-#line 971 "yara_grammar.y"

+#line 973 "yara_grammar.y"

     {

         int var_index;

@@ -2824,7 +2826,7 @@ yyreduce:

   case 57:

 /* Line 1806 of yacc.c  */

-#line 1005 "yara_grammar.y"

+#line 1007 "yara_grammar.y"

     {

         int mem_offset = LOOP_LOCAL_VARS * compiler->loop_depth;

@@ -2864,7 +2866,7 @@ yyreduce:

   case 58:

 /* Line 1806 of yacc.c  */

-#line 1040 "yara_grammar.y"

+#line 1042 "yara_grammar.y"

     {

         int mem_offset;

@@ -2945,7 +2947,7 @@ yyreduce:

   case 59:

 /* Line 1806 of yacc.c  */

-#line 1116 "yara_grammar.y"

+#line 1118 "yara_grammar.y"

     {

         int mem_offset = LOOP_LOCAL_VARS * compiler->loop_depth;

         int8_t* addr;

@@ -2980,7 +2982,7 @@ yyreduce:

   case 60:

 /* Line 1806 of yacc.c  */

-#line 1146 "yara_grammar.y"

+#line 1148 "yara_grammar.y"

     {

         int mem_offset;

@@ -3031,7 +3033,7 @@ yyreduce:

   case 61:

 /* Line 1806 of yacc.c  */

-#line 1192 "yara_grammar.y"

+#line 1194 "yara_grammar.y"

     {

         yr_parser_emit(yyscanner, OP_OF, NULL);

@@ -3042,7 +3044,7 @@ yyreduce:

   case 62:

 /* Line 1806 of yacc.c  */

-#line 1198 "yara_grammar.y"

+#line 1200 "yara_grammar.y"

     {

         yr_parser_emit(yyscanner, OP_NOT, NULL);

@@ -3053,7 +3055,7 @@ yyreduce:

   case 63:

 /* Line 1806 of yacc.c  */

-#line 1204 "yara_grammar.y"

+#line 1206 "yara_grammar.y"

     {

         yr_parser_emit(yyscanner, OP_AND, NULL);

@@ -3064,7 +3066,7 @@ yyreduce:

   case 64:

 /* Line 1806 of yacc.c  */

-#line 1210 "yara_grammar.y"

+#line 1212 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_BOOLEAN, "or");

@@ -3077,7 +3079,7 @@ yyreduce:

   case 65:

 /* Line 1806 of yacc.c  */

-#line 1218 "yara_grammar.y"

+#line 1220 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<");

         CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<");

@@ -3091,7 +3093,7 @@ yyreduce:

   case 66:

 /* Line 1806 of yacc.c  */

-#line 1227 "yara_grammar.y"

+#line 1229 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">");

         CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">");

@@ -3105,7 +3107,7 @@ yyreduce:

   case 67:

 /* Line 1806 of yacc.c  */

-#line 1236 "yara_grammar.y"

+#line 1238 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<=");

         CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, "<=");

@@ -3119,7 +3121,7 @@ yyreduce:

   case 68:

 /* Line 1806 of yacc.c  */

-#line 1245 "yara_grammar.y"

+#line 1247 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(1) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">=");

         CHECK_TYPE((yyvsp[(3) - (3)].expression_type), EXPRESSION_TYPE_INTEGER, ">=");

@@ -3133,7 +3135,7 @@ yyreduce:

   case 69:

 /* Line 1806 of yacc.c  */

-#line 1254 "yara_grammar.y"

+#line 1256 "yara_grammar.y"

     {

         if ((yyvsp[(1) - (3)].expression_type) != (yyvsp[(3) - (3)].expression_type))

         {

@@ -3165,7 +3167,7 @@ yyreduce:

   case 70:

 /* Line 1806 of yacc.c  */

-#line 1281 "yara_grammar.y"

+#line 1283 "yara_grammar.y"

     {

         if ((yyvsp[(1) - (3)].expression_type) != (yyvsp[(3) - (3)].expression_type))

         {

@@ -3197,7 +3199,7 @@ yyreduce:

   case 71:

 /* Line 1806 of yacc.c  */

-#line 1308 "yara_grammar.y"

+#line 1310 "yara_grammar.y"

     {

         if ((yyvsp[(1) - (3)].expression_type) != (yyvsp[(3) - (3)].expression_type))

         {

@@ -3229,7 +3231,7 @@ yyreduce:

   case 72:

 /* Line 1806 of yacc.c  */

-#line 1335 "yara_grammar.y"

+#line 1337 "yara_grammar.y"

     {

         (yyval.expression_type) = (yyvsp[(1) - (1)].expression_type);

       }

@@ -3238,7 +3240,7 @@ yyreduce:

   case 73:

 /* Line 1806 of yacc.c  */

-#line 1339 "yara_grammar.y"

+#line 1341 "yara_grammar.y"

     {

         (yyval.expression_type) = (yyvsp[(2) - (3)].expression_type);

       }

@@ -3247,21 +3249,21 @@ yyreduce:

   case 74:

 /* Line 1806 of yacc.c  */

-#line 1346 "yara_grammar.y"

+#line 1348 "yara_grammar.y"

     { (yyval.integer) = INTEGER_SET_ENUMERATION; }

     break;

   case 75:

 /* Line 1806 of yacc.c  */

-#line 1347 "yara_grammar.y"

+#line 1349 "yara_grammar.y"

     { (yyval.integer) = INTEGER_SET_RANGE; }

     break;

   case 76:

 /* Line 1806 of yacc.c  */

-#line 1353 "yara_grammar.y"

+#line 1355 "yara_grammar.y"

     {

         if ((yyvsp[(2) - (6)].expression_type) != EXPRESSION_TYPE_INTEGER)

         {

@@ -3284,7 +3286,7 @@ yyreduce:

   case 77:

 /* Line 1806 of yacc.c  */

-#line 1375 "yara_grammar.y"

+#line 1377 "yara_grammar.y"

     {

         if ((yyvsp[(1) - (1)].expression_type) != EXPRESSION_TYPE_INTEGER)

         {

@@ -3301,7 +3303,7 @@ yyreduce:

   case 78:

 /* Line 1806 of yacc.c  */

-#line 1387 "yara_grammar.y"

+#line 1389 "yara_grammar.y"

     {

         if ((yyvsp[(3) - (3)].expression_type) != EXPRESSION_TYPE_INTEGER)

         {

@@ -3317,7 +3319,7 @@ yyreduce:

   case 79:

 /* Line 1806 of yacc.c  */

-#line 1402 "yara_grammar.y"

+#line 1404 "yara_grammar.y"

     {

         // Push end-of-list marker

         yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);

@@ -3327,12 +3329,12 @@ yyreduce:

   case 81:

 /* Line 1806 of yacc.c  */

-#line 1408 "yara_grammar.y"

+#line 1410 "yara_grammar.y"

     {

         yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);

         yr_parser_emit_pushes_for_strings(yyscanner, "$*");

 #ifdef YARA_PROTO

-        compiler->current_rule_flags |= RULE_THEM;

+        compiler->current_rule_clflags |= RULE_THEM;

 #endif

       }

     break;

@@ -3340,7 +3342,7 @@ yyreduce:

   case 84:

 /* Line 1806 of yacc.c  */

-#line 1426 "yara_grammar.y"

+#line 1428 "yara_grammar.y"

     {

         yr_parser_emit_pushes_for_strings(yyscanner, (yyvsp[(1) - (1)].c_string));

         yr_free((yyvsp[(1) - (1)].c_string));

@@ -3350,7 +3352,7 @@ yyreduce:

   case 85:

 /* Line 1806 of yacc.c  */

-#line 1431 "yara_grammar.y"

+#line 1433 "yara_grammar.y"

     {

         yr_parser_emit_pushes_for_strings(yyscanner, (yyvsp[(1) - (1)].c_string));

         yr_free((yyvsp[(1) - (1)].c_string));

@@ -3360,11 +3362,11 @@ yyreduce:

   case 87:

 /* Line 1806 of yacc.c  */

-#line 1441 "yara_grammar.y"

+#line 1443 "yara_grammar.y"

     {

         yr_parser_emit_with_arg(yyscanner, OP_PUSH, UNDEFINED, NULL);

 #ifdef YARA_PROTO

-        compiler->current_rule_flags |= RULE_ALL;

+        compiler->current_rule_clflags |= RULE_ALL;

 #endif

       }

     break;

@@ -3372,11 +3374,11 @@ yyreduce:

   case 88:

 /* Line 1806 of yacc.c  */

-#line 1448 "yara_grammar.y"

+#line 1450 "yara_grammar.y"

     {

         yr_parser_emit_with_arg(yyscanner, OP_PUSH, 1, NULL);

 #ifdef YARA_PROTO

-        compiler->current_rule_flags |= RULE_ANY;

+        compiler->current_rule_clflags |= RULE_ANY;

 #endif

       }

     break;

@@ -3384,7 +3386,7 @@ yyreduce:

   case 89:

 /* Line 1806 of yacc.c  */

-#line 1459 "yara_grammar.y"

+#line 1461 "yara_grammar.y"

     {

         (yyval.expression_type) = (yyvsp[(2) - (3)].expression_type);

       }

@@ -3393,7 +3395,7 @@ yyreduce:

   case 90:

 /* Line 1806 of yacc.c  */

-#line 1463 "yara_grammar.y"

+#line 1465 "yara_grammar.y"

     {

         compiler->last_result = yr_parser_emit(

             yyscanner, OP_FILESIZE, NULL);

@@ -3407,13 +3409,13 @@ yyreduce:

   case 91:

 /* Line 1806 of yacc.c  */

-#line 1472 "yara_grammar.y"

+#line 1474 "yara_grammar.y"

     {

 #ifndef YARA_PROTO

         yywarning(yyscanner,

             "Using deprecated \"entrypoint\" keyword. Use the \"entry_point\" " "function from PE module instead.");

 #else

-        compiler->current_rule_flags |= RULE_EP;

+        compiler->current_rule_clflags |= RULE_EP;

 #endif

         compiler->last_result = yr_parser_emit(

             yyscanner, OP_ENTRYPOINT, NULL);

@@ -3427,7 +3429,7 @@ yyreduce:

   case 92:

 /* Line 1806 of yacc.c  */

-#line 1487 "yara_grammar.y"

+#line 1489 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "int8");

@@ -3443,7 +3445,7 @@ yyreduce:

   case 93:

 /* Line 1806 of yacc.c  */

-#line 1498 "yara_grammar.y"

+#line 1500 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "int16");

@@ -3459,7 +3461,7 @@ yyreduce:

   case 94:

 /* Line 1806 of yacc.c  */

-#line 1509 "yara_grammar.y"

+#line 1511 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "int32");

@@ -3475,7 +3477,7 @@ yyreduce:

   case 95:

 /* Line 1806 of yacc.c  */

-#line 1520 "yara_grammar.y"

+#line 1522 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "uint8");

@@ -3491,7 +3493,7 @@ yyreduce:

   case 96:

 /* Line 1806 of yacc.c  */

-#line 1531 "yara_grammar.y"

+#line 1533 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "uint16");

@@ -3507,7 +3509,7 @@ yyreduce:

   case 97:

 /* Line 1806 of yacc.c  */

-#line 1542 "yara_grammar.y"

+#line 1544 "yara_grammar.y"

     {

         CHECK_TYPE((yyvsp[(3) - (4)].expression_type), EXPRESSION_TYPE_INTEGER, "uint32");

@@ -3523,7 +3525,7 @@ yyreduce:

   case 98:

 /* Line 1806 of yacc.c  */

-#line 1553 "yara_grammar.y"

+#line 1555 "yara_grammar.y"

     {

         compiler->last_result = yr_parser_emit_with_arg(

             yyscanner, OP_PUSH, (yyvsp[(1) - (1)].integer), NULL);

@@ -3537,7 +3539,7 @@ yyreduce:

   case 99:

 /* Line 1806 of yacc.c  */

-#line 1562 "yara_grammar.y"

+#line 1564 "yara_grammar.y"

     {

         SIZED_STRING* sized_string = (yyvsp[(1) - (1)].sized_string);

         char* string;

@@ -3567,7 +3569,7 @@ yyreduce:

   case 100:

 /* Line 1806 of yacc.c  */

-#line 1587 "yara_grammar.y"

+#line 1589 "yara_grammar.y"

     {

         compiler->last_result = yr_parser_reduce_string_identifier(

             yyscanner,

@@ -3585,7 +3587,7 @@ yyreduce:

   case 101:

 /* Line 1806 of yacc.c  */

-#line 1600 "yara_grammar.y"

+#line 1602 "yara_grammar.y"

     {

         compiler->last_result = yr_parser_reduce_string_identifier(

             yyscanner,

@@ -3603,7 +3605,7 @@ yyreduce:

   case 102:

 /* Line 1806 of yacc.c  */

-#line 1613 "yara_grammar.y"

+#line 1615 "yara_grammar.y"

     {

         compiler->last_result = yr_parser_emit_with_arg(

             yyscanner,