@@ -75,7 +75,8 @@ DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \

 	$(top_srcdir)/docs/man/sigtool.1.in AUTHORS COPYING ChangeLog \

 	INSTALL NEWS config/compile config/config.guess \

 	config/config.rpath config/config.sub config/depcomp \

-	config/install-sh config/ltmain.sh config/missing

+	config/install-sh config/ltmain.sh config/missing \

+	config/ylwrap

 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4

 am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \

 	$(top_srcdir)/m4/argz.m4 \

@@ -17,6 +17,7 @@

 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

 #  MA 02110-1301, USA.

+AM_YFLAGS = -d

 AM_CPPFLAGS = -I$(top_srcdir) -I@srcdir@/nsis $(LTDLINCL)

 AM_CFLAGS=@WERR_CFLAGS@

 lib_LTLIBRARIES =

@@ -442,6 +443,9 @@ libclamav_la_SOURCES = \

 	hostid.h \

 	openioc.c \

 	openioc.h \

+	yara_grammar.y \

+	yara_lexer.l \

+	yara_lexer.h \

 	yara_clam.h

 libclamav_la_SOURCES += bignum.h\

@@ -66,7 +66,8 @@ target_triplet = @target@

 @VERSIONSCRIPT_TRUE@am__append_6 = -Wl,@VERSIONSCRIPTFLAG@,@top_srcdir@/libclamav/libclamav.map

 subdir = libclamav

 DIST_COMMON = $(include_HEADERS) $(srcdir)/Makefile.am \

-	$(srcdir)/Makefile.in

+	$(srcdir)/Makefile.in yara_grammar.c yara_grammar.h \

+	yara_lexer.c

 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4

 am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \

 	$(top_srcdir)/m4/argz.m4 \

@@ -238,6 +239,7 @@ am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \

 	libclamav_la-asn1.lo libclamav_la-fpu.lo libclamav_la-stats.lo \

 	libclamav_la-www.lo libclamav_la-stats_json.lo \

 	libclamav_la-hostid.lo libclamav_la-openioc.lo \

+	libclamav_la-yara_grammar.lo libclamav_la-yara_lexer.lo \

 	libclamav_la-fp_add.lo libclamav_la-fp_add_d.lo \

 	libclamav_la-fp_addmod.lo libclamav_la-fp_cmp.lo \

 	libclamav_la-fp_cmp_d.lo libclamav_la-fp_cmp_mag.lo \

@@ -396,6 +398,21 @@ LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \

 AM_V_CCLD = $(am__v_CCLD_@AM_V@)

 am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)

 am__v_CCLD_0 = @echo "  CCLD  " $@;

+@MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||

+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)

+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \

+	$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)

+AM_V_LEX = $(am__v_LEX_@AM_V@)

+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)

+am__v_LEX_0 = @echo "  LEX   " $@;

+YLWRAP = $(top_srcdir)/config/ylwrap

+@MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||

+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)

+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \

+	$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)

+AM_V_YACC = $(am__v_YACC_@AM_V@)

+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)

+am__v_YACC_0 = @echo "  YACC  " $@;

 AM_V_GEN = $(am__v_GEN_@AM_V@)

 am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)

 am__v_GEN_0 = @echo "  GEN   " $@;

@@ -651,6 +668,7 @@ target_vendor = @target_vendor@

 top_build_prefix = @top_build_prefix@

 top_builddir = @top_builddir@

 top_srcdir = @top_srcdir@

+AM_YFLAGS = -d

 AM_CPPFLAGS = -I$(top_srcdir) -I@srcdir@/nsis $(LTDLINCL) \

 	$(am__append_1)

 AM_CFLAGS = @WERR_CFLAGS@

@@ -810,10 +828,10 @@ libclamav_la_SOURCES = matcher-ac.c matcher-ac.h matcher-bm.c \

 	iso9660.h arc4.c arc4.h rijndael.c rijndael.h crtmgr.c \

 	crtmgr.h asn1.c asn1.h fpu.c fpu.h stats.c stats.h www.c www.h \

 	stats_json.c stats_json.h hostid.c hostid.h openioc.c \

-	openioc.h yara_clam.h bignum.h bignum_fast.h \

-	tomsfastmath/addsub/fp_add.c tomsfastmath/addsub/fp_add_d.c \

-	tomsfastmath/addsub/fp_addmod.c tomsfastmath/addsub/fp_cmp.c \

-	tomsfastmath/addsub/fp_cmp_d.c \

+	openioc.h yara_grammar.y yara_lexer.l yara_lexer.h yara_clam.h \

+	bignum.h bignum_fast.h tomsfastmath/addsub/fp_add.c \

+	tomsfastmath/addsub/fp_add_d.c tomsfastmath/addsub/fp_addmod.c \

+	tomsfastmath/addsub/fp_cmp.c tomsfastmath/addsub/fp_cmp_d.c \

 	tomsfastmath/addsub/fp_cmp_mag.c tomsfastmath/addsub/fp_sub.c \

 	tomsfastmath/addsub/fp_sub_d.c tomsfastmath/addsub/fp_submod.c \

 	tomsfastmath/addsub/s_fp_add.c tomsfastmath/addsub/s_fp_sub.c \

@@ -884,7 +902,7 @@ all: $(BUILT_SOURCES)

 	$(MAKE) $(AM_MAKEFLAGS) all-recursive

 .SUFFIXES:

-.SUFFIXES: .c .lo .o .obj

+.SUFFIXES: .c .l .lo .o .obj .y

 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)

 	@for dep in $?; do \

 	  case '$(am__configure_deps)' in \

@@ -955,6 +973,9 @@ clean-noinstLTLIBRARIES:

 	  echo "rm -f \"$${dir}/so_locations\""; \

 	  rm -f "$${dir}/so_locations"; \

 	done

+yara_grammar.h: yara_grammar.c

+	@if test ! -f $@; then rm -f yara_grammar.c; else :; fi

+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) yara_grammar.c; else :; fi

 libclamav.la: $(libclamav_la_OBJECTS) $(libclamav_la_DEPENDENCIES) $(EXTRA_libclamav_la_DEPENDENCIES) 

 	$(AM_V_CCLD)$(libclamav_la_LINK) -rpath $(libdir) $(libclamav_la_OBJECTS) $(libclamav_la_LIBADD) $(LIBS)

 libclamav_internal_utils.la: $(libclamav_internal_utils_la_OBJECTS) $(libclamav_internal_utils_la_DEPENDENCIES) $(EXTRA_libclamav_internal_utils_la_DEPENDENCIES) 

@@ -1213,6 +1234,8 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-xar.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-xdp.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-xz_iface.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yara_grammar.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yara_lexer.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yc.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_nocxx_la-bytecode_nojit.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unrar.Plo@am__quote@

@@ -2205,6 +2228,20 @@ libclamav_la-openioc.lo: openioc.c

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-openioc.lo `test -f 'openioc.c' || echo '$(srcdir)/'`openioc.c

+libclamav_la-yara_grammar.lo: yara_grammar.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-yara_grammar.lo -MD -MP -MF $(DEPDIR)/libclamav_la-yara_grammar.Tpo -c -o libclamav_la-yara_grammar.lo `test -f 'yara_grammar.c' || echo '$(srcdir)/'`yara_grammar.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-yara_grammar.Tpo $(DEPDIR)/libclamav_la-yara_grammar.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='yara_grammar.c' object='libclamav_la-yara_grammar.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-yara_grammar.lo `test -f 'yara_grammar.c' || echo '$(srcdir)/'`yara_grammar.c

+

+libclamav_la-yara_lexer.lo: yara_lexer.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-yara_lexer.lo -MD -MP -MF $(DEPDIR)/libclamav_la-yara_lexer.Tpo -c -o libclamav_la-yara_lexer.lo `test -f 'yara_lexer.c' || echo '$(srcdir)/'`yara_lexer.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-yara_lexer.Tpo $(DEPDIR)/libclamav_la-yara_lexer.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='yara_lexer.c' object='libclamav_la-yara_lexer.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-yara_lexer.lo `test -f 'yara_lexer.c' || echo '$(srcdir)/'`yara_lexer.c

+

 libclamav_la-fp_add.lo: tomsfastmath/addsub/fp_add.c

 @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-fp_add.lo -MD -MP -MF $(DEPDIR)/libclamav_la-fp_add.Tpo -c -o libclamav_la-fp_add.lo `test -f 'tomsfastmath/addsub/fp_add.c' || echo '$(srcdir)/'`tomsfastmath/addsub/fp_add.c

 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-fp_add.Tpo $(DEPDIR)/libclamav_la-fp_add.Plo

@@ -2996,6 +3033,12 @@ unrar_iface.lo: ../libclamunrar_iface/unrar_iface.c

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unrar_iface.lo `test -f '../libclamunrar_iface/unrar_iface.c' || echo '$(srcdir)/'`../libclamunrar_iface/unrar_iface.c

+.l.c:

+	$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)

+

+.y.c:

+	$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)

+

 mostlyclean-libtool:

 	-rm -f *.lo

@@ -3254,6 +3297,9 @@ distclean-generic:

 maintainer-clean-generic:

 	@echo "This command is intended for maintainers to use"

 	@echo "it deletes files that may require special tools to rebuild."

+	-rm -f yara_grammar.c

+	-rm -f yara_grammar.h

+	-rm -f yara_lexer.c

 	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)

 clean: clean-recursive

new file mode 100644

@@ -0,0 +1,1919 @@

+/*

+ * YARA rule parser for ClamAV

+ * 

+ * Copyright (C) 2014 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ * 

+ * Authors: Steven Morgan

+ * 

+ * This program is free software; you can redistribute it and/or modify it under

+ * the terms of the GNU General Public License version 2 as published by the

+ * Free Software Foundation.

+ * 

+ * This program is distributed in the hope that it will be useful, but WITHOUT

+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for

+ * more details.

+ * 

+ * You should have received a copy of the GNU General Public License along with

+ * this program; if not, write to the Free Software Foundation, Inc., 51

+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

+ */

+/* This file was originally derived from yara 3.1.0 libyara/parser.y and is

+   revised for running YARA rules in ClamAV. Following is the YARA copyright. */

+/*

+Copyright (c) 2007-2013. The YARA Authors. All Rights Reserved.

+

+Licensed under the Apache License, Version 2.0 (the "License");

+you may not use this file except in compliance with the License.

+You may obtain a copy of the License at

+

+   http://www.apache.org/licenses/LICENSE-2.0

+

+Unless required by applicable law or agreed to in writing, software

+distributed under the License is distributed on an "AS IS" BASIS,

+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+See the License for the specific language governing permissions and

+limitations under the License.

+*/

+

+%{

+

+#include <assert.h>

+#include <stdio.h>

+#include <stdint.h>

+#include <string.h>

+#include <limits.h>

+#include <stddef.h>

+

+#ifdef REAL_YARA

+#include <yara/utils.h>

+#include <yara/compiler.h>

+#include <yara/object.h>

+#include <yara/sizedstr.h>

+#include <yara/exec.h>

+#include <yara/error.h>

+#include <yara/mem.h>

+#include <yara/lexer.h>

+#include <yara/parser.h>

+#else

+#define YYDEBUG 1 /* Set for development testing */

+#include "libclamav/yara_clam.h"

+#include "clamav-config.h"

+#endif

+

+#define YYERROR_VERBOSE

+

+#define INTEGER_SET_ENUMERATION   1

+#define INTEGER_SET_RANGE         2

+

+#define EXPRESSION_TYPE_BOOLEAN   1

+#define EXPRESSION_TYPE_INTEGER   2

+#define EXPRESSION_TYPE_STRING    3

+#define EXPRESSION_TYPE_REGEXP    4

+

+

+#define ERROR_IF(x) \

+    if (x) \

+    { \

+      yyerror(yyscanner, compiler, NULL); \

+      YYERROR; \

+    } \

+

+

+#define CHECK_TYPE_WITH_CLEANUP(actual_type, expected_type, op, cleanup) \

+    if (actual_type != expected_type) \

+    { \

+      switch(actual_type) \

+      { \

+        case EXPRESSION_TYPE_INTEGER: \

+          yr_compiler_set_error_extra_info( \

+              compiler, "wrong type \"integer\" for " op " operator"); \

+          break; \

+        case EXPRESSION_TYPE_STRING: \

+          yr_compiler_set_error_extra_info( \

+              compiler, "wrong type \"string\" for \"" op "\" operator"); \

+          break; \

+      } \

+      compiler->last_result = ERROR_WRONG_TYPE; \

+      cleanup; \

+      yyerror(yyscanner, compiler, NULL); \

+      YYERROR; \

+    }

+

+#define CHECK_TYPE(actual_type, expected_type, op) \

+    CHECK_TYPE_WITH_CLEANUP(actual_type, expected_type, op, ) \

+

+

+#define MSG(op)  "wrong type \"string\" for \"" op "\" operator"

+

+%}

+

+

+%expect 2   // expect 2 shift/reduce conflicts

+

+%debug

+%name-prefix="yara_yy"

+%pure-parser

+%parse-param {void *yyscanner}

+%parse-param {YR_COMPILER* compiler}

+%lex-param {yyscan_t yyscanner}

+%lex-param {YR_COMPILER* compiler}

+

+%token _RULE_

+%token _PRIVATE_

+%token _GLOBAL_

+%token _META_

+%token <string> _STRINGS_

+%token _CONDITION_

+%token <c_string> _IDENTIFIER_

+%token <c_string> _STRING_IDENTIFIER_

+%token <c_string> _STRING_COUNT_

+%token <c_string> _STRING_OFFSET_

+%token <c_string> _STRING_IDENTIFIER_WITH_WILDCARD_

+%token <integer> _NUMBER_

+%token <sized_string> _TEXT_STRING_

+%token <sized_string> _HEX_STRING_

+%token <sized_string> _REGEXP_

+%token _ASCII_

+%token _WIDE_

+%token _NOCASE_

+%token _FULLWORD_

+%token _AT_

+%token _FILESIZE_

+%token _ENTRYPOINT_

+%token _ALL_

+%token _ANY_

+%token _IN_

+%token _OF_

+%token _FOR_

+%token _THEM_

+%token _INT8_

+%token _INT16_

+%token _INT32_

+%token _UINT8_

+%token _UINT16_

+%token _UINT32_

+%token _MATCHES_

+%token _CONTAINS_

+%token _IMPORT_

+

+%token _TRUE_

+%token _FALSE_

+

+%left _OR_

+%left _AND_

+%left '&' '|' '^'

+%left _LT_ _LE_ _GT_ _GE_ _EQ_ _NEQ_ _IS_

+%left _SHIFT_LEFT_ _SHIFT_RIGHT_

+%left '+' '-'

+%left '*' '\\' '%'

+%right _NOT_

+%right '~'

+

+%type <string> strings

+%type <string> string_declaration

+%type <string> string_declarations

+

+%type <meta> meta

+%type <meta> meta_declaration

+%type <meta> meta_declarations

+

+%type <c_string> tags

+%type <c_string> tag_list

+

+%type <integer> string_modifier

+%type <integer> string_modifiers

+

+%type <integer> integer_set

+

+%type <integer> rule_modifier

+%type <integer> rule_modifiers

+

+%type <object> identifier

+

+%type <expression_type> primary_expression

+%type <expression_type> boolean_expression

+%type <expression_type> expression

+%type <expression_type> regexp

+

+%type <c_string> arguments_list

+

+

+%destructor { yr_free($$); } _IDENTIFIER_

+%destructor { yr_free($$); } _STRING_IDENTIFIER_

+%destructor { yr_free($$); } _STRING_COUNT_

+%destructor { yr_free($$); } _STRING_OFFSET_

+%destructor { yr_free($$); } _STRING_IDENTIFIER_WITH_WILDCARD_

+%destructor { yr_free($$); } _TEXT_STRING_

+%destructor { yr_free($$); } _HEX_STRING_

+%destructor { yr_free($$); } _REGEXP_

+

+%union {

+  SIZED_STRING*   sized_string;

+  char*           c_string;

+  int8_t          expression_type;

+  int64_t         integer;

+  YR_STRING*      string;

+  YR_META*        meta;

+    //  YR_OBJECT*      object;

+}

+

+

+%%

+

+rules

+    : /* empty */

+    | rules rule

+    | rules import

+    | rules error rule      /* on error skip until next rule..*/

+    | rules error 'include' /* .. or include statement */

+    ;

+

+

+import

+    : _IMPORT_ _TEXT_STRING_

+      {

+#ifdef REAL_YARA

+        int result = yr_parser_reduce_import(yyscanner, $2);

+

+        yr_free($2);

+

+        ERROR_IF(result != ERROR_SUCCESS);

+#endif

+      }

+    ;

+

+

+rule

+    : rule_modifiers _RULE_ _IDENTIFIER_ tags '{' meta strings condition '}'

+      {

+#ifdef REAL_YARA

+        int result = yr_parser_reduce_rule_declaration(

+            yyscanner,

+            $1,

+            $3,

+            $4,

+            $7,

+            $6);

+

+        yr_free($3);

+

+        ERROR_IF(result != ERROR_SUCCESS);

+#endif

+      }

+    ;

+

+

+meta

+    : /* empty */

+      {

+#ifdef REAL_YARA

+        $$ = NULL;

+#endif

+      }

+    | _META_ ':' meta_declarations

+      {

+#ifdef REAL_YARA

+        // Each rule have a list of meta-data info, consisting in a

+        // sequence of YR_META structures. The last YR_META structure does

+        // not represent a real meta-data, it's just a end-of-list marker

+        // identified by a specific type (META_TYPE_NULL). Here we

+        // write the end-of-list marker.

+

+        YR_META null_meta;

+

+        memset(&null_meta, 0xFF, sizeof(YR_META));

+        null_meta.type = META_TYPE_NULL;

+

+        compiler->last_result = yr_arena_write_data(

+            compiler->metas_arena,

+            &null_meta,

+            sizeof(YR_META),

+            NULL);

+

+        $$ = $3;

+

+        ERROR_IF(compiler->last_result != ERROR_SUCCESS);

+#endif

+      }

+    ;

+

+

+strings

+    : /* empty */

+      {

+#ifdef REAL_YARA

+        $$ = NULL;

+        compiler->current_rule_strings = $$;

+#endif

+      }

+    | _STRINGS_ ':' string_declarations

+      {

+#ifdef REAL_YARA

+        // Each rule have a list of strings, consisting in a sequence

+        // of YR_STRING structures. The last YR_STRING structure does not

+        // represent a real string, it's just a end-of-list marker

+        // identified by a specific flag (STRING_FLAGS_NULL). Here we

+        // write the end-of-list marker.

+

+        YR_STRING null_string;

+

+        memset(&null_string, 0xFF, sizeof(YR_STRING));

+        null_string.g_flags = STRING_GFLAGS_NULL;

+

+        compiler->last_result = yr_arena_write_data(

+            compiler->strings_arena,

+            &null_string,

+            sizeof(YR_STRING),

+            NULL);

+

+        ERROR_IF(compiler->last_result != ERROR_SUCCESS);

+

+        compiler->current_rule_strings = $3;

+        $$ = $3;

+#endif

+      }

+    ;

+

+

+condition

+    : _CONDITION_ ':' boolean_expression

+    ;

+

+

+rule_modifiers

+    : /* empty */                      { $$ = 0;  }

+    | rule_modifiers rule_modifier     { $$ = $1 | $2; }

+    ;

+

+

+rule_modifier

+    : _PRIVATE_      { $$ = RULE_GFLAGS_PRIVATE; }

+    | _GLOBAL_       { $$ = RULE_GFLAGS_GLOBAL; }

+    ;

+

+

+tags

+    : /* empty */

+      {

+#ifdef REAL_YARA

+        $$ = NULL;

+#endif

+      }

+    | ':' tag_list

+      {

+#ifdef REAL_YARA

+        // Tags list is represented in the arena as a sequence

+        // of null-terminated strings, the sequence ends with an

+        // additional null character. Here we write the ending null

+        //character. Example: tag1\0tag2\0tag3\0\0

+

+        compiler->last_result = yr_arena_write_string(

+            yyget_extra(yyscanner)->sz_arena, "", NULL);

+

+        ERROR_IF(compiler->last_result != ERROR_SUCCESS);

+

+        $$ = $2;

+#endif

+      }

+    ;

+

+

+tag_list

+    : _IDENTIFIER_

+      {

+#ifdef REAL_YARA

+        char* identifier;

+

+        compiler->last_result = yr_arena_write_string(

+            yyget_extra(yyscanner)->sz_arena, $1, &identifier);

+

+        yr_free($1);

+

+        ERROR_IF(compiler->last_result != ERROR_SUCCESS);

+

+        $$ = identifier;

+#endif

+      }

+    | tag_list _IDENTIFIER_

+      {

+#ifdef REAL_YARA

+        char* tag_name = $1;

+        size_t tag_length = tag_name != NULL ? strlen(tag_name) : 0;

+

+        while (tag_length > 0)

+        {

+          if (strcmp(tag_name, $2) == 0)

+          {

+            yr_compiler_set_error_extra_info(compiler, tag_name);

+            compiler->last_result = ERROR_DUPLICATE_TAG_IDENTIFIER;

+            break;

+          }

+

+          tag_name = yr_arena_next_address(

+              yyget_extra(yyscanner)->sz_arena,

+              tag_name,

+              tag_length + 1);

+

+          tag_length = tag_name != NULL ? strlen(tag_name) : 0;

+        }

+

+        if (compiler->last_result == ERROR_SUCCESS)

+          compiler->last_result = yr_arena_write_string(

+              yyget_extra(yyscanner)->sz_arena, $2, NULL);

+

+        yr_free($2);

+

+        ERROR_IF(compiler->last_result != ERROR_SUCCESS);

+

+        $$ = $1;

+#endif

+      }

+    ;

+

+

+

+meta_declarations

+    : meta_declaration                    {  $$ = $1; }

+    | meta_declarations meta_declaration  {  $$ = $1; }

+    ;

+

+

+meta_declaration

+    : _IDENTIFIER_ '=' _TEXT_STRING_

+      {

+#ifdef REAL_YARA

+        SIZED_STRING* sized_string = $3;

+

+        $$ = yr_parser_reduce_meta_declaration(

+            yyscanner,

+            META_TYPE_STRING,

+            $1,

+            sized_string->c_string,

+            0);

+

+        yr_free($1);

+        yr_free($3);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    | _IDENTIFIER_ '=' _NUMBER_

+      {

+#ifdef REAL_YARA

+        $$ = yr_parser_reduce_meta_declaration(

+            yyscanner,

+            META_TYPE_INTEGER,

+            $1,

+            NULL,

+            $3);

+

+        yr_free($1);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    | _IDENTIFIER_ '=' _TRUE_

+      {

+#ifdef REAL_YARA

+        $$ = yr_parser_reduce_meta_declaration(

+            yyscanner,

+            META_TYPE_BOOLEAN,

+            $1,

+            NULL,

+            TRUE);

+

+        yr_free($1);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    | _IDENTIFIER_ '=' _FALSE_

+      {

+#ifdef REAL_YARA

+        $$ = yr_parser_reduce_meta_declaration(

+            yyscanner,

+            META_TYPE_BOOLEAN,

+            $1,

+            NULL,

+            FALSE);

+

+        yr_free($1);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    ;

+

+

+string_declarations

+    : string_declaration                      { $$ = $1; }

+    | string_declarations string_declaration  { $$ = $1; }

+    ;

+

+

+string_declaration

+    : _STRING_IDENTIFIER_ '=' _TEXT_STRING_ string_modifiers

+      {

+#ifdef REAL_YARA

+        $$ = yr_parser_reduce_string_declaration(

+            yyscanner,

+            $4,

+            $1,

+            $3);

+

+        yr_free($1);

+        yr_free($3);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    | _STRING_IDENTIFIER_ '='

+      {

+#ifdef REAL_YARA

+        compiler->error_line = yyget_lineno(yyscanner);

+#endif

+      }

+      _REGEXP_ string_modifiers

+      {

+#ifdef REAL_YARA

+        $$ = yr_parser_reduce_string_declaration(

+            yyscanner,

+            $5 | STRING_GFLAGS_REGEXP,

+            $1,

+            $4);

+

+        yr_free($1);

+        yr_free($4);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    | _STRING_IDENTIFIER_ '=' _HEX_STRING_

+      {

+#ifdef REAL_YARA

+        $$ = yr_parser_reduce_string_declaration(

+            yyscanner,

+            STRING_GFLAGS_HEXADECIMAL,

+            $1,

+            $3);

+

+        yr_free($1);

+        yr_free($3);

+

+        ERROR_IF($$ == NULL);

+#endif

+      }

+    ;

+

+

+string_modifiers

+    : /* empty */                         { $$ = 0; }

+    | string_modifiers string_modifier    { $$ = $1 | $2; }

+    ;

+

+

+string_modifier

+    : _WIDE_        { $$ = STRING_GFLAGS_WIDE; }

+    | _ASCII_       { $$ = STRING_GFLAGS_ASCII; }

+    | _NOCASE_      { $$ = STRING_GFLAGS_NO_CASE; }

+    | _FULLWORD_    { $$ = STRING_GFLAGS_FULL_WORD; }

+    ;

+

+

+identifier

+    : _IDENTIFIER_

+      {

+#ifdef REAL_YARA

+        YR_OBJECT* object = NULL;

+        YR_RULE* rule;

+

+        char* id;

+        char* ns = NULL;

+

+        int var_index;

+

+        var_index = yr_parser_lookup_loop_variable(yyscanner, $1);

+

+        if (var_index >= 0)

+        {

+         compiler->last_result = yr_parser_emit_with_arg(

+            yyscanner,

+            OP_PUSH_M,

+            LOOP_LOCAL_VARS * var_index,

+            NULL);

+

+          $$ = (YR_OBJECT*) -1;

+        }

+        else

+        {

+          // Search for identifier within the global namespace, where the

+          // externals variables reside.

+

+          object = (YR_OBJECT*) yr_hash_table_lookup(

+                compiler->objects_table,

+                $1,

+                NULL);

+

+          if (object == NULL)

+          {

+            // If not found, search within the current namespace.

+

+            ns = compiler->current_namespace->name;

+            object = (YR_OBJECT*) yr_hash_table_lookup(

+                compiler->objects_table,

+                $1,

+                ns);

+          }

+

+          if (object != NULL)

+          {

+            compiler->last_result = yr_arena_write_string(

+                compiler->sz_arena,

+                $1,

+                &id);

+

+            if (compiler->last_result == ERROR_SUCCESS)

+              compiler->last_result = yr_parser_emit_with_arg_reloc(

+                  yyscanner,

+                  OP_OBJ_LOAD,

+                  PTR_TO_UINT64(id),

+                  NULL);

+

+            $$ = object;

+          }

+          else

+          {

+            rule = (YR_RULE*) yr_hash_table_lookup(

+                compiler->rules_table,

+                $1,

+                compiler->current_namespace->name);

+

+            if (rule != NULL)

+            {

+              compiler->last_result = yr_parser_emit_with_arg_reloc(

+                  yyscanner,

+                  OP_PUSH_RULE,

+                  PTR_TO_UINT64(rule),

+                  NULL);

+            }

+            else

+            {

+              yr_compiler_set_error_extra_info(compiler, $1);

+              compiler->last_result = ERROR_UNDEFINED_IDENTIFIER;

+            }

+

+            $$ = (YR_OBJECT*) -2;

+          }

+        }

+

+        yr_free($1);

+

+        ERROR_IF(compiler->last_result != ERROR_SUCCESS);

+#endif

+      }

+    | identifier '.' _IDENTIFIER_

+      {

+#ifdef REAL_YARA

+        YR_OBJECT* object = $1;

+        YR_OBJECT* field = NULL;

+

+        char* ident;

+

+        if (object != NULL &&

+            object != (YR_OBJECT*) -1 &&    // not a loop variable identifier

+            object != (YR_OBJECT*) -2 &&    // not a rule identifier

+            object->type == OBJECT_TYPE_STRUCTURE)

+        {

+          field = yr_object_lookup_field(object, $3);

+

+          if (field != NULL)

+          {

+            compiler->last_result = yr_arena_write_string(

+              compiler->sz_arena,

+              $3,

+              &ident);

+

+            if (compiler->last_result == ERROR_SUCCESS)

+              compiler->last_result = yr_parser_emit_with_arg_reloc(

+                  yyscanner,

+                  OP_OBJ_FIELD,

+                  PTR_TO_UINT64(ident),

+                  NULL);

+          }

+          else

+          {

+            yr_compiler_set_error_extra_info(compiler, $3);

+            compiler->last_result = ERROR_INVALID_FIELD_NAME;

+          }

+        }

+        else

+        {

+          yr_compiler_set_error_extra_info(

+              compiler,

+              object->identifier);

+

+          compiler->last_result = ERROR_NOT_A_STRUCTURE;

+        }

+