@@ -457,9 +457,13 @@ int main(int argc, char **argv)

 #ifdef HAVE_BZLIB_H

 	printf("BZIP2 ");

 #endif

+

 #ifdef HAVE_LIBXML2

 	printf("LIBXML2 ");

 #endif

+#ifdef HAVE_PCRE

+	printf("PCRE ");

+#endif

 #ifdef HAVE_JSON

 	printf("JSON ");

 #endif

@@ -874,6 +874,36 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     val = cl_engine_get_num(engine, CL_ENGINE_MAX_ICONSPE, NULL);

     logg("Limits: MaxIconsPE limit set to %llu.\n", val);

+    if((opt = optget(opts, "PCREMatchLimit"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MATCH_LIMIT, opt->numarg))) {

+            logg("!cli_engine_set_num(PCREMatchLimit) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_PCRE_MATCH_LIMIT, NULL);

+    logg("Limits: PCREMatchLimit limit set to %llu.\n", val);

+

+    if((opt = optget(opts, "PCRERecMatchLimit"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_RECMATCH_LIMIT, opt->numarg))) {

+            logg("!cli_engine_set_num(PCRERecMatchLimit) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_PCRE_RECMATCH_LIMIT, NULL);

+    logg("Limits: PCRERecMatchLimit limit set to %llu.\n", val);

+

+    if((opt = optget(opts, "PCREMaxFileSize"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, opt->numarg))) {

+            logg("!cli_engine_set_num(PCREMaxFileSize) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, NULL);

+    logg("Limits: PCREMaxFileSize limit set to %llu.\n", val);

+

     if(optget(opts, "ScanArchive")->enabled) {

 	logg("Archive support enabled.\n");

 	options |= CL_SCAN_ARCHIVE;

@@ -283,6 +283,11 @@ void help(void)

     mprintf("    --disable-pe-stats                   Disable submission of individual PE sections in stats submissions\n");

     mprintf("    --stats-timeout=#n                   Number of seconds to wait for waiting a response back from the stats server\n");

     mprintf("    --stats-host-id=UUID                 Set the Host ID used when submitting statistical info.\n");

+#if HAVE_PCRE

+    mprintf("    --pcre-match-limit=#n                Maximum calls to the PCRE match function.\n");

+    mprintf("    --pcre-recmatch-limit=#n             Maximum recursive calls to the PCRE match function.\n");

+    mprintf("    --pcre-max-filesize=#n               Maximum size file to perform PCRE sunsig matching.\n");

+#endif /* HAVE_PCRE */

     mprintf("\n");

     mprintf("(*) Default scan settings\n");

     mprintf("(**) Certain files (e.g. documents, archives, etc.) may in turn contain other\n");

@@ -59,6 +59,7 @@

 #include "libclamav/clamav.h"

 #include "libclamav/others.h"

 #include "libclamav/matcher-ac.h"

+#include "libclamav/matcher-pcre.h"

 #include "libclamav/str.h"

 #include "libclamav/readdb.h"

 #include "libclamav/cltypes.h"

@@ -764,9 +765,6 @@ int scanmanager(const struct optstruct *opts)

     if(optget(opts, "bytecode-unsigned")->enabled)

         dboptions |= CL_DB_BYTECODE_UNSIGNED;

-    if(optget(opts, "bytecode-statistics")->enabled)

-        dboptions |= CL_DB_BYTECODE_STATS;

-

     if((opt = optget(opts,"bytecode-timeout"))->enabled)

         cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);

@@ -785,6 +783,18 @@ int scanmanager(const struct optstruct *opts)

         cl_engine_set_num(engine, CL_ENGINE_BYTECODE_MODE, mode);

     }

+    if((opt = optget(opts, "statistics"))->enabled) {

+	while(opt) {

+	    if (!strcasecmp(opt->strarg, "bytecode")) {

+		dboptions |= CL_DB_BYTECODE_STATS;

+	    }

+	    else if (!strcasecmp(opt->strarg, "pcre")) {

+		dboptions |= CL_DB_PCRE_STATS;

+	    }

+	    opt = opt->nextarg;

+        }

+    }

+

     if((opt = optget(opts, "tempdir"))->enabled) {

         if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) {

             logg("!cli_engine_set_str(CL_ENGINE_TMPDIR) failed: %s\n", cl_strerror(ret));

@@ -961,6 +971,30 @@ int scanmanager(const struct optstruct *opts)

         }

     }

+    if ((opt = optget(opts, "pcre-match-limit"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MATCH_LIMIT, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_PCRE_MATCH_LIMIT) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+

+    if ((opt = optget(opts, "pcre-recmatch-limit"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_RECMATCH_LIMIT, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_PCRE_RECMATCH_LIMIT) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+

+    if ((opt = optget(opts, "pcre-max-filesize"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_PCRE_MAX_FILESIZE) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+

     /* set scan options */

     if(optget(opts, "allmatch")->enabled)

         options |= CL_SCAN_ALLMATCHES;

@@ -1129,9 +1163,20 @@ int scanmanager(const struct optstruct *opts)

         }

     }

-    if(optget(opts, "bytecode-statistics")->enabled) {

-        cli_sigperf_print();

-        cli_sigperf_events_destroy();

+    if((opt = optget(opts, "statistics"))->enabled) {

+	while(opt) {

+	    if (!strcasecmp(opt->strarg, "bytecode")) {

+		cli_sigperf_print();

+		cli_sigperf_events_destroy();

+	    }

+#if HAVE_PCRE

+	    else if (!strcasecmp(opt->strarg, "pcre")) {

+		cli_pcre_perf_print();

+		cli_pcre_perf_events_destroy();

+	    }

+#endif

+	    opt = opt->nextarg;

+        }

     }

     /* free the engine */

@@ -17541,37 +17541,39 @@ if test "${with_pcre+set}" = set; then :

   withval=$with_pcre;

   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libpcre installation" >&5

 $as_echo_n "checking for libpcre installation... " >&6; }

-  if test "X$withval" = "Xno"; then

+  case "$withval" in

+  no)

     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5

 $as_echo "no" >&6; }

-  else

-    if test "X$withval" = "Xyes"; then

-      PCRE_HOME=/usr/local

-      if test ! -x "$PCRE_HOME/bin/pcre-config"; then

-        PCRE_HOME=/usr

-        if test ! -x "$PCRE_HOME/bin/pcre-config"; then

-          PCRE_HOME=""

-        fi

-      fi

-    elif test "$withval"; then

-      PCRE_HOME="$withval"

+    ;;

+  yes)

+    PCRE_HOME=/usr/local

+    if test ! -x "$PCRE_HOME/bin/pcre-config"; then

+      PCRE_HOME=/usr

       if test ! -x "$PCRE_HOME/bin/pcre-config"; then

         PCRE_HOME=""

-        as_fn_error $? "cannot locate libpcre at $withval" "$LINENO" 5

+        as_fn_error $? "cannot locate libpcre at /usr/local or /usr" "$LINENO" 5

       fi

-    else

-      as_fn_error $? "cannot assign blank value to --with-pcre" "$LINENO" 5

     fi

+    ;;

+  "")

+    as_fn_error $? "cannot assign blank value to --with-pcre" "$LINENO" 5

+    ;;

+  *)

+    PCRE_HOME="$withval"

+    if test ! -x "$PCRE_HOME/bin/pcre-config"; then

+      PCRE_HOME=""

+      as_fn_error $? "cannot locate libpcre at $withval" "$LINENO" 5

+    fi

+    ;;

+  esac

-    if test "x$PCRE_HOME" != "x"; then

-      { $as_echo "$as_me:${as_lineno-$LINENO}: result: using $PCRE_HOME" >&5

+  if test "x$PCRE_HOME" != "x"; then

+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: using $PCRE_HOME" >&5

 $as_echo "using $PCRE_HOME" >&6; }

-    else

-      { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5

+  else

+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5

 $as_echo "not found" >&6; }

-      { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cannot locate libpcre at /usr/local or /usr" >&5

-$as_echo "$as_me: WARNING: cannot locate libpcre at /usr/local or /usr" >&2;}

-    fi

   fi

 else

Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ

@@ -209,12 +209,12 @@ attachment.exe: OK

     MD5 signature for \verb+test.exe+ use the \verb+--md5+ option of sigtool:

     \begin{verbatim}

 zolw@localhost:/tmp/test$ sigtool --md5 test.exe > test.hdb

-zolw@localhost:/tmp/test$ cat test.hdb 

+zolw@localhost:/tmp/test$ cat test.hdb

 48c4533230e1ae1c118c741c0db19dfb:17387:test.exe

     \end{verbatim}

     That's it! The signature is ready for use:

     \begin{verbatim}

-zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe 

+zolw@localhost:/tmp/test$ clamscan -d test.hdb test.exe

 test.exe: test.exe FOUND

 ----------- SCAN SUMMARY -----------

@@ -242,7 +242,7 @@ Time: 0.024 sec (0 m 0 s)

     \subsubsection{SHA1 and SHA256 hash-based signatures}

     ClamAV 0.98 has also added support for SHA1 and SHA256 file checksums.

-    The format is the same as for MD5 file checksum. 

+    The format is the same as for MD5 file checksum.

     It can differentiate between them based on the length of the hash string

     in the signature. For best backwards compatibility, these should be

     placed inside a \verb+*.hsb+ file. The format is:

@@ -482,7 +482,7 @@ Sig1;Target:0;(0&1&2&3)&(4|1);6b6f74656b;616c61;7a6f6c77;7374656

 6616e;deadbeef

 Sig2;Target:0;((0|1|2)>5,2)&(3|1);6b6f74656b;616c61;7a6f6c77;737

-46566616e  

+46566616e

 Sig3;Target:0;((0|1|2|3)=2)&(4|1);6b6f74656b;616c61;7a6f6c77;737

 46566616e;deadbeef

@@ -492,15 +492,75 @@ f2aef7d14951684cf04100e8110a00;S2+78:22??232c2d252229{-15}6e6573

 (63|64)61706528;S+50:68efa311c3b9963cb1ee8e586d32aeb9043e;f9c58d

 cf43987e4f519d629b103375;SL+550:6300680065005c0046006900

     \end{verbatim}

-    ClamAV 0.96 introduced support for special macro subsignatures in

-    the following format: \verb+${min-max}MACROID$+, where \verb+MACROID+

-    points to a group of signatures and \verb+{min-max}+ specifies the

-    offset range at which one of the group signatures should match.

-    The range is calculated against the match offset of the previous

-    subsignature. The macro subsignature makes its preceding subsignature

-    considered a match only if both of them get matched. For more

-    information and examples please see

-    \url{https://bugzilla.clamav.net/show_bug.cgi?id=164}.

+

+    \subsection{Special Subsignature Types}

+    Macro subsignatures(clamav-0.96): \verb+${min-max}MACROID$+:

+    \begin{itemize}

+	\item \verb+MACROID+ points to a group of signatures and \verb+{min-max}+

+	specifies the offset range at which one of the group signatures should match.

+	\item The range is calculated against the match offset of the previous subsignature.

+	\item The macro subsignature makes its preceding subsignature considered a match

+	only if both of them get matched.

+	\item For more information and examples please see \url{https://wwws.clamav.net/bugzilla/show_bug.cgi?id=164}.

+    \end{itemize}

+    PCRE subsignatures(clamav-0.99): \verb+Trigger/PCRE/[Flags]+

+    \begin{itemize}

+    \item \verb+Trigger+ is a required field that is a valid \verb+LogicalExpression+ and

+    may refer to any subsignatures that precede this subsignature. Triggers cannot be

+    self-referential and cannot refer to subsequent subsignatures.

+    \item \verb+PCRE+ is the expression representing the regex to execute. \verb+PCRE+

+    must be delimited by '/', but does not need to be escaped within the expression.

+    \verb+PCRE+ cannot be empty and (?UTF*) control sequence is not allowed. If debug is specified,

+    named capture groups are displayed in a post-execution report.

+    \item \verb+Flags+ are a series of characters which affect the compilation and execution

+    of \verb+PCRE+ within the PCRE compiler and the ClamAV engine. This field is optional.

+	\begin{itemize}

+	\item \verb+g [CLAMAV_GLOBAL]+ specifies to search for ALL matches of PCRE (default is to

+        search for first match). NOTE: INCREASES the time needed to run the PCRE.

+        \item \verb+r [CLAMAV_ROLLING]+ specifies to use the given offset as the starting location

+        to search for a match as opposed to the only location; applies to subsigs without maxshifts.

+        By default, in order to facilatate normal ClamAV offset behavior, PCREs are auto-anchored

+        (only attempt match on first offset); using the rolling option disables the auto-anchoring.

+	\item \verb+e [CLAMAV_ENCOMPASS]+ specifies to CONFINE matching between the specified offset

+	and maxshift; applies only when maxshift is specified. Note: DECREASES time needed to run the PCRE.

+	\item \verb+i [PCRE_CASELESS]+

+	\item \verb+s [PCRE_DOTALL]+

+	\item \verb+m [PCRE_MULTILINE]+

+	\item \verb+x [PCRE_EXTENDED]+

+	\item \verb+A [PCRE_ANCHORED]+

+	\item \verb+E [PCRE_DOLLAR_ENODNLY]+

+	\item \verb+G [PCRE_UNGREEDY]+

+	\end{itemize}

+    \end{itemize}

+    Examples:

+    \begin{verbatim}

+Find.All.ClamAV;Target:0;1;6265676c6164697427736e6f7462797465636

+f6465;0/clamav/g

+

+Find.ClamAV.OnlyAt.299;Target:0;2;7374756c747a67657473;706372657

+2656765786c6f6c;299:0&1/clamav/

+

+Find.ClamAV.StartAt.300;Target:0;3;616c61696e;62756731393238;636

+c6f736564;300:0&1&2/clamav/r

+

+Find.All.Encompassed.ClamAV;Target:0;3;7768796172656e2774;796f75

+7573696e67;79617261;200,300:0&1&2/clamav/ge

+

+Named.CapGroup.Pcre;Target:0;3;636f75727479617264;616c62756d;746

+57272696572;50:0&1&2/variable=(?<nilshell>.{16})end/gr

+

+Firefox.TreeRange.UseAfterFree;Target:0;0&1&2;2e766965772e73656c

+656374696f6e;2e696e76616c696461746553656c656374696f6e;0&1/\x2Evi

+ew\x2Eselection.*?\x2Etree\s*\x3D\s*null.*?\x2Einvalidate/smi

+

+Firefox.IDB.UseAfterFree;Target:0;0&1;4944424b657952616e6765;0/^

+\x2e(only|lowerBound|upperBound|bound)\x28.*?\x29.*?\x2e(lower|u

+pper|lowerOpen|upperOpen)/smi

+

+Firefox.boundElements;Target:0;0&1&2;6576656e742e626f756e64456c6

+56d656e7473;77696e646f772e636c6f7365;0&1/on(load|click)\s*=\s*\x

+22?window\.close\s*\x28/si

+    \end{verbatim}

     \subsection{Icon signatures for PE files}

     ClamAV 0.96 includes an approximate/fuzzy icon matcher to help

@@ -522,6 +522,31 @@ Example

 # Default: 100

 #MaxIconsPE 200

+# This option sets the maximum calls to the PCRE match function during an instance of regex matching.

+# Instances using more than this limit will be terminated and alert the user but the scan will continue.

+# For more information on match_limit, see the PCRE documentation.

+# Negative values are not allowed.

+# WARNING: setting this limit too high may severely impact performance.

+# Default: 10000

+#PCREMatchLimit 20000

+

+# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.

+# Instances using more than this limit will be terminated and alert the user but the scan will continue.

+# For more information on match_limit_recursion, see the PCRE documentation.

+# Negative values are not allowed and values > PCREMatchLimit are superfluous.

+# WARNING: setting this limit too high may severely impact performance.

+# Default: 5000

+#PCRERecMatchLimit 10000

+

+# This option sets the maximum filesize for which PCRE subsigs will be executed.

+# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.

+# Negative values are not allowed.

+# Setting this value to zero disables the limit.

+# WARNING: setting this limit too high or disabling it may severely impact performance.

+# Default: 25M

+#PCREMaxFileSize 100M

+

+

 ##

 ## On-access Scan Settings

 ##

@@ -450,7 +450,11 @@ libclamav_la_SOURCES = \

 	yara_parser.h \

 	yara_clam.h \

 	msdoc.c \

-	msdoc.h

+	msdoc.h \

+	matcher-pcre.c \

+	matcher-pcre.h \

+	regex_pcre.c \

+	regex_pcre.h

 libclamav_la_SOURCES += bignum.h\

 	bignum_fast.h\

@@ -286,6 +286,7 @@ am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \

 	libclamav_la-hostid.lo libclamav_la-openioc.lo \

 	libclamav_la-yara_grammar.lo libclamav_la-yara_lexer.lo \

 	libclamav_la-yara_parser.lo libclamav_la-msdoc.lo \

+	libclamav_la-matcher-pcre.lo libclamav_la-regex_pcre.lo \

 	libclamav_la-fp_add.lo libclamav_la-fp_add_d.lo \

 	libclamav_la-fp_addmod.lo libclamav_la-fp_cmp.lo \

 	libclamav_la-fp_cmp_d.lo libclamav_la-fp_cmp_mag.lo \

@@ -915,6 +916,7 @@ libclamav_la_SOURCES = matcher-ac.c matcher-ac.h matcher-bm.c \

 	stats_json.c stats_json.h hostid.c hostid.h openioc.c \

 	openioc.h yara_grammar.y yara_lexer.l yara_lexer.h \

 	yara_parser.c yara_parser.h yara_clam.h msdoc.c msdoc.h \

+	matcher-pcre.c matcher-pcre.h regex_pcre.c regex_pcre.h \

 	bignum.h bignum_fast.h tomsfastmath/addsub/fp_add.c \

 	tomsfastmath/addsub/fp_add_d.c tomsfastmath/addsub/fp_addmod.c \

 	tomsfastmath/addsub/fp_cmp.c tomsfastmath/addsub/fp_cmp_d.c \

@@ -1271,6 +1273,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-ac.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-bm.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-hash.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher-pcre.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-matcher.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-mbox.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-mbr.Plo@am__quote@

@@ -1300,6 +1303,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-readdb.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-rebuildpe.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-regex_list.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-regex_pcre.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-regex_suffix.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-rijndael.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-rtf.Plo@am__quote@

@@ -2356,6 +2360,20 @@ libclamav_la-msdoc.lo: msdoc.c

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-msdoc.lo `test -f 'msdoc.c' || echo '$(srcdir)/'`msdoc.c

+libclamav_la-matcher-pcre.lo: matcher-pcre.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-matcher-pcre.lo -MD -MP -MF $(DEPDIR)/libclamav_la-matcher-pcre.Tpo -c -o libclamav_la-matcher-pcre.lo `test -f 'matcher-pcre.c' || echo '$(srcdir)/'`matcher-pcre.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-matcher-pcre.Tpo $(DEPDIR)/libclamav_la-matcher-pcre.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='matcher-pcre.c' object='libclamav_la-matcher-pcre.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-matcher-pcre.lo `test -f 'matcher-pcre.c' || echo '$(srcdir)/'`matcher-pcre.c

+

+libclamav_la-regex_pcre.lo: regex_pcre.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-regex_pcre.lo -MD -MP -MF $(DEPDIR)/libclamav_la-regex_pcre.Tpo -c -o libclamav_la-regex_pcre.lo `test -f 'regex_pcre.c' || echo '$(srcdir)/'`regex_pcre.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-regex_pcre.Tpo $(DEPDIR)/libclamav_la-regex_pcre.Plo

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='regex_pcre.c' object='libclamav_la-regex_pcre.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-regex_pcre.lo `test -f 'regex_pcre.c' || echo '$(srcdir)/'`regex_pcre.c

+

 libclamav_la-fp_add.lo: tomsfastmath/addsub/fp_add.c

 @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-fp_add.lo -MD -MP -MF $(DEPDIR)/libclamav_la-fp_add.Tpo -c -o libclamav_la-fp_add.lo `test -f 'tomsfastmath/addsub/fp_add.c' || echo '$(srcdir)/'`tomsfastmath/addsub/fp_add.c

 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-fp_add.Tpo $(DEPDIR)/libclamav_la-fp_add.Plo

@@ -1454,6 +1454,11 @@ void cli_sigperf_print()

     struct sigperf_elem stats[MAX_BC], *elem = stats;

     int i, elems = 0, max_name_len = 0, name_len;

+    if (!g_sigid || !g_sigevents) {

+        cli_warnmsg("cli_sigperf_print: statistics requested but no bytecodes were loaded!\n");

+        return;

+    }

+

     memset(stats, 0, sizeof(stats));

     for (i=0;i<MAX_BC;i++) {

 	union ev_val val;

@@ -1479,6 +1484,8 @@ void cli_sigperf_print()

 	elem++;

 	elems++;

     }

+    if (max_name_len < strlen("Bytecode name"))

+        max_name_len = strlen("Bytecode name");

     cli_qsort(stats, elems, sizeof(struct sigperf_elem), sigelem_comp);

@@ -134,6 +134,7 @@ typedef enum {

 #define CL_DB_UNSIGNED	    0x10000 /* internal */

 #define CL_DB_BYTECODE_STATS 0x20000

 #define CL_DB_ENHANCED      0x40000

+#define CL_DB_PCRE_STATS    0x80000

 /* recommended db settings */

 #define CL_DB_STDOPT	    (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE)

@@ -233,7 +234,10 @@ enum cl_engine_field {

     CL_ENGINE_STATS_TIMEOUT,        /* uint32_t */

     CL_ENGINE_MAX_PARTITIONS,       /* uint32_t */

     CL_ENGINE_MAX_ICONSPE,          /* uint32_t */

-    CL_ENGINE_TIME_LIMIT            /* uint32_t */

+    CL_ENGINE_TIME_LIMIT,           /* uint32_t */

+    CL_ENGINE_PCRE_MATCH_LIMIT,     /* uint64_t */

+    CL_ENGINE_PCRE_RECMATCH_LIMIT,  /* uint64_t */

+    CL_ENGINE_PCRE_MAX_FILESIZE     /* uint64_t */

 };

 enum bytecode_security {

@@ -136,6 +136,10 @@ static struct dconf_module modules[] = {

     { "STATS",      "DISABLED",     DCONF_STATS_DISABLED,   0 },

     { "STATS",      "PESECTION DISABLED", DCONF_STATS_PE_SECTION_DISABLED, 0 },

+    { "PCRE",       "SUPPORT",      PCRE_CONF_SUPPORT,   1 },

+    { "PCRE",       "OPTIONS",      PCRE_CONF_OPTIONS,   1 },

+    { "PCRE",       "GLOBAL",       PCRE_CONF_GLOBAL,    1 },

+

     { NULL,     NULL,       0,              0 }

 };

@@ -189,6 +193,9 @@ struct cli_dconf *cli_dconf_init(void)

         } else if (!strcmp(modules[i].mname, "STATS")) {

             if (modules[i].state)

                 dconf->stats |= modules[i].bflag;

+        } else if (!strcmp(modules[i].mname, "PCRE")) {

+            if (modules[i].state)

+                dconf->pcre |= modules[i].bflag;

         }

     }

@@ -198,7 +205,7 @@ struct cli_dconf *cli_dconf_init(void)

 void cli_dconf_print(struct cli_dconf *dconf)

 {

     unsigned int pe = 0, elf = 0, macho = 0, arch = 0, doc = 0, mail = 0;

-    unsigned int other = 0, phishing = 0, i, bytecode=0, stats=0;

+    unsigned int other = 0, phishing = 0, i, bytecode=0, stats=0, pcre=0;

     cli_dbgmsg("Dynamic engine configuration settings:\n");

@@ -292,9 +299,28 @@ void cli_dconf_print(struct cli_dconf *dconf)

             }

             if (dconf->stats)

-                cli_dbgmsg("    * Submodule %10s:\t%s\n", modules[i].sname, (dconf->stats & modules[i].bflag) ? "On" : "** Off **");

+                cli_dbgmsg("   * Submodule %10s:\t%s\n", modules[i].sname, (dconf->stats & modules[i].bflag) ? "On" : "** Off **");

             else

                 continue;

+        } else if (!strcmp(modules[i].mname, "PCRE")) {

+#if HAVE_PCRE

+            if (!pcre) {

+                cli_dbgmsg("Module PCRE %s\n", dconf->pcre ? "On" : "Off");

+                pcre = 1;

+            }

+

+            if (dconf->pcre)

+                cli_dbgmsg("   * Submodule %10s:\t%s\n", modules[i].sname, (dconf->pcre & modules[i].bflag) ? "On" : "** Off **");

+            else

+                continue;

+#else

+            if (!pcre) {

+                cli_dbgmsg("Module PCRE Off\n");

+                pcre = 1;

+            }

+

+            continue;

+#endif

         }

     }

 }

@@ -437,6 +463,15 @@ int cli_dconf_load(FILE *fs, struct cl_engine *engine, unsigned int options, str

                 break;

             }

         }

+

+        if(!strncmp(buffer, "PCRE:", 5) && chkflevel(buffer, 2)) {

+            if(sscanf(buffer + 5, "0x%x", &val) == 1) {

+                engine->dconf->pcre = val;

+            } else {

+                ret = CL_EMALFDB;

+                break;

+            }

+        }

     }

     if(ret) {

@@ -42,6 +42,7 @@ struct cli_dconf {

     uint32_t phishing;

     uint32_t bytecode;

     uint32_t stats;

+    uint32_t pcre;

 };

 /* PE flags */

@@ -129,6 +130,11 @@ struct cli_dconf {

 #define DCONF_STATS_DISABLED            0x1

 #define DCONF_STATS_PE_SECTION_DISABLED 0x2

+/* PCRE flags */

+#define PCRE_CONF_SUPPORT 0x1

+#define PCRE_CONF_OPTIONS 0x2

+#define PCRE_CONF_GLOBAL  0x4

+

 #define BYTECODE_ENGINE_MASK (BYTECODE_INTERPRETER | BYTECODE_JIT_X86 | BYTECODE_JIT_PPC | BYTECODE_JIT_ARM)

 #ifdef USE_MPOOL

@@ -46,4 +46,9 @@

 #define CLI_DEFAULT_MAXPARTITIONS       50

+/* TODO - set better defaults */

+#define CLI_DEFAULT_PCRE_MATCH_LIMIT     10000

+#define CLI_DEFAULT_PCRE_RECMATCH_LIMIT  5000

+#define CLI_DEFAULT_PCRE_MAX_FILESIZE    26214400

+

 #endif

@@ -57,11 +57,14 @@ CLAMAV_PUBLIC {

     cl_finish_hash;

     cl_hash_destroy;

     cl_engine_stats_enable;

+    lsig_sub_matched;

 };

 CLAMAV_PRIVATE {

   global:

     cli_sigperf_print; 

     cli_sigperf_events_destroy; 

+    cli_pcre_perf_print;

+    cli_pcre_perf_events_destroy;

     cli_gettmpdir;

     cli_strtok;

@@ -1104,7 +1104,7 @@ inline static int ac_addtype(struct cli_matched_type **list, cli_file_t type, of

     return CL_SUCCESS;

 }

-static inline void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial)

+void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial)

 {

 	const struct cli_lsig_tdb *tdb = &root->ac_lsigtable[lsigid1]->tdb;

@@ -1359,9 +1359,9 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 				    if(res) {

 					newres = (struct cli_ac_result *) malloc(sizeof(struct cli_ac_result));

 					if(!newres) {

-                        cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %lu\n", sizeof(struct cli_ac_result));

+					    cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %lu\n", (unsigned long)sizeof(struct cli_ac_result));

 					    return CL_EMEM;

-                    }

+					}

 					newres->virname = pt->virname;

 					newres->customdata = pt->customdata;

 					newres->next = *res;

@@ -1412,9 +1412,9 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 				if(res) {

 				    newres = (struct cli_ac_result *) malloc(sizeof(struct cli_ac_result));

 				    if(!newres) {

-                        cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %lu\n", sizeof(struct cli_ac_result));

-                        return CL_EMEM;

-                    }

+					cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %lu\n", (unsigned long)sizeof(struct cli_ac_result));

+					return CL_EMEM;

+				    }

 				    newres->virname = pt->virname;

 				    newres->customdata = pt->customdata;

 				    newres->offset = realoff;

@@ -90,6 +90,7 @@ struct cli_ac_result {

 int cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern);

 int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs, uint32_t reloffsigs, uint8_t tracklen);

+void lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial);

 void cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsigid1);

 int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigned int *cnt, uint64_t *ids, unsigned int parse_only);

 void cli_ac_freedata(struct cli_ac_data *data);

new file mode 100644

@@ -0,0 +1,792 @@

+/*

+ *  Support for matcher using PCRE

+ *

+ *  Copyright (C) 2007-2013 Sourcefire, Inc.

+ *  Copyright (C) 2014 Cisco Systems, Inc.

+ *  All Rights Reserved.

+ *

+ *  Authors: Kevin Lin

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include "clamav.h"

+#include "cltypes.h"

+#include "dconf.h"

+#include "events.h"

+#include "others.h"

+#include "matcher.h"

+#include "matcher-ac.h"

+#include "matcher-pcre.h"

+#include "mpool.h"

+#include "regex_pcre.h"

+

+#if HAVE_PCRE

+/* DEBUGGING */

+//#define MATCHER_PCRE_DEBUG

+#ifdef MATCHER_PCRE_DEBUG

+#  define pm_dbgmsg(...) cli_dbgmsg( __VA_ARGS__)

+#else

+#  define pm_dbgmsg(...)

+#endif

+#undef MATCHER_PCRE_DEBUG

+

+/* PERFORMANCE MACROS AND FUNCTIONS */

+#define MAX_TRACKED_PCRE 64

+#define PCRE_EVENTS_PER_SIG 2

+#define MAX_PCRE_SIGEVENT_ID MAX_TRACKED_PCRE*PCRE_EVENTS_PER_SIG

+

+cli_events_t *p_sigevents = NULL;

+unsigned int p_sigid = 0;

+

+static void pcre_perf_events_init(struct cli_pcre_meta *pm, const char *virname)

+{

+    int ret;

+    size_t namelen = strlen(virname)+strlen(pm->pdata.expression)+3;

+

+    if (!p_sigevents) {

+        p_sigevents = cli_events_new(MAX_PCRE_SIGEVENT_ID);

+        if (!p_sigevents) {

+            cli_errmsg("pcre_perf: no memory for events table\n");

+            return;

+        }

+    }

+

+    if (p_sigid > MAX_PCRE_SIGEVENT_ID - PCRE_EVENTS_PER_SIG - 1) {

+        cli_errmsg("pcre_perf: events table full. Increase MAX_TRACKED_PCRE\n");

+        return;

+    }

+

+    if (!virname)

+        virname = "(null)";

+

+    /* set the name */

+    pm->statname = cli_calloc(1, namelen);

+    if (!pm->statname) {

+        return;

+    }

+    snprintf(pm->statname, namelen, "%s/%s/", virname, pm->pdata.expression);

+

+    pm_dbgmsg("pcre_perf: adding sig ids starting %u for %s\n", p_sigid, pm->statname);

+

+    /* register time event */

+    pm->sigtime_id = p_sigid;

+    ret = cli_event_define(p_sigevents, p_sigid++, pm->statname, ev_time, multiple_sum);

+    if (ret) {

+        cli_errmsg("pcre_perf: cli_event_define() error for time event id %d\n", pm->sigtime_id);

+        pm->sigtime_id = MAX_PCRE_SIGEVENT_ID+1;

+        return;

+    }

+

+    /* register match count */

+    pm->sigmatch_id = p_sigid;

+    ret = cli_event_define(p_sigevents, p_sigid++, pm->statname, ev_int, multiple_sum);

+    if (ret) {

+        cli_errmsg("pcre_perf: cli_event_define() error for matches event id %d\n", pm->sigmatch_id);

+        pm->sigmatch_id = MAX_PCRE_SIGEVENT_ID+1;

+        return;

+    }

+}

+

+struct sigperf_elem {

+    const char * name;

+    uint64_t usecs;

+    unsigned long run_count;

+    unsigned long match_count;

+};

+

+static int sigelem_comp(const void * a, const void * b)

+{

+    const struct sigperf_elem *ela = a;

+    const struct sigperf_elem *elb = b;

+    return elb->usecs/elb->run_count - ela->usecs/ela->run_count;

+}

+

+void cli_pcre_perf_print()

+{

+    struct sigperf_elem stats[MAX_TRACKED_PCRE], *elem = stats;

+    int i, elems = 0, max_name_len = 0, name_len;

+

+    if (!p_sigid || !p_sigevents) {

+        cli_warnmsg("cli_pcre_perf_print: statistics requested but no PCREs were loaded!\n");

+        return;

+    }

+

+    memset(stats, 0, sizeof(stats));

+    for (i=0;i<MAX_TRACKED_PCRE;i++) {

+        union ev_val val;

+        uint32_t count;

+        const char * name = cli_event_get_name(p_sigevents, i*PCRE_EVENTS_PER_SIG);

+        cli_event_get(p_sigevents, i*PCRE_EVENTS_PER_SIG, &val, &count);

+        if (!count) {

+            if (name)

+                cli_dbgmsg("No event triggered for %s\n", name);

+            continue;

+        }

+        if (name)

+            name_len = strlen(name);

+        else

+            name_len = 0;

+        if (name_len > max_name_len)

+            max_name_len = name_len;

+        elem->name = name?name:"\"noname\"";

+        elem->usecs = val.v_int;

+        elem->run_count = count;

+        cli_event_get(p_sigevents, i*PCRE_EVENTS_PER_SIG+1, &val, &count);

+        elem->match_count = count;

+        elem++;

+        elems++;

+    }

+    if (max_name_len < strlen("PCRE Expression"))

+        max_name_len = strlen("PCRE Expression");

+

+    cli_qsort(stats, elems, sizeof(struct sigperf_elem), sigelem_comp);

+

+    elem = stats;

+    /* name runs matches microsecs avg */

+    cli_infomsg (NULL, "%-*s %*s %*s %*s %*s\n", max_name_len, "PCRE Expression",

+                 8, "#runs", 8, "#matches", 12, "usecs total", 9, "usecs avg");

+    cli_infomsg (NULL, "%-*s %*s %*s %*s %*s\n", max_name_len, "===============",

+                 8, "=====", 8, "========", 12, "===========", 9, "=========");

+    while (elem->run_count) {

+        cli_infomsg (NULL, "%-*s %*lu %*lu %*llu %*.2f\n", max_name_len, elem->name,

+                     8, elem->run_count, 8, elem->match_count,

+                     12, elem->usecs, 9, (double)elem->usecs/elem->run_count);

+        elem++;

+    }

+}

+

+

+void cli_pcre_perf_events_destroy()

+{

+    cli_events_free(p_sigevents);

+    p_sigid = 0;

+}

+

+

+/* PCRE MATCHER FUNCTIONS */

+int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *trigger, const char *pattern, const char *cflags, const char *offset, const uint32_t *lsigid, unsigned int options)

+{

+    struct cli_pcre_meta **newmetatable = NULL, *pm = NULL;

+    uint32_t pcre_count;

+    const char *opt;

+    int ret = CL_SUCCESS, rssigs;

+

+    if (!root || !trigger || !pattern || !offset) {

+        cli_errmsg("cli_pcre_addpatt: NULL root or NULL trigger or NULL pattern or NULL offset\n");

+        return CL_ENULLARG;

+    }

+

+    /* TODO: trigger and regex checking (backreference limitations?) (control pattern limitations?) */

+    /* cli_ac_chklsig will fail a empty trigger; empty patterns can cause an infinite loop */

+    if (*trigger == '\0' || *pattern == '\0') {

+        cli_errmsg("cli_pcre_addpatt: trigger or pattern cannot be an empty string\n");

+        return CL_EMALFDB;

+    }

+    if (cflags && *cflags == '\0') {

+        cflags = NULL;

+    }

+

+    if (lsigid)

+        pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) as subsig %d for lsigid %d\n", 

+                  pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger, lsigid[1], lsigid[0]);

+    else

+        pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) [no lsigid]\n",

+                  pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger);

+

+#ifdef PCRE_BYPASS

+    /* check for trigger bypass */

+    if (strcmp(trigger, PCRE_BYPASS)) {

+#endif

+        /* validate the lsig trigger */