summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/analysis/scan/patterns/tokens/node.c13
-rw-r--r--tests/analysis/scan/fuzzing.py22
2 files changed, 33 insertions, 2 deletions
diff --git a/src/analysis/scan/patterns/tokens/node.c b/src/analysis/scan/patterns/tokens/node.c
index 604cf86..71fcf05 100644
--- a/src/analysis/scan/patterns/tokens/node.c
+++ b/src/analysis/scan/patterns/tokens/node.c
@@ -416,6 +416,17 @@ void g_scan_token_node_check_forward(const GScanTokenNode *node, GScanContext *c
if (ocount > 0)
{
+ /**
+ * Dans le cas où un unique noeud ne renvoie que vers un espace (par
+ * exemple : "$a = { [0] }"), il n'y a pas de résultats, donc pas
+ * d'initialisation.
+ *
+ * La réinitialisation des décomptes va tiquer pour cet état. La
+ * phase d'extension des résultats inexistants est ainsi sautée.
+ */
+ if (count_pending_matches(matches) == 0)
+ goto offset_done;
+
reset_pending_matches_ttl(matches);
pending_ptr = get_all_pending_matches(matches, &pcount);
@@ -447,6 +458,8 @@ void g_scan_token_node_check_forward(const GScanTokenNode *node, GScanContext *c
*/
/* purge_pending_matches(matches); */
+ offset_done:
+
disable_all_ranges_in_node_search_offset(&offset);
}
diff --git a/tests/analysis/scan/fuzzing.py b/tests/analysis/scan/fuzzing.py
index c38b25c..044fe54 100644
--- a/tests/analysis/scan/fuzzing.py
+++ b/tests/analysis/scan/fuzzing.py
@@ -132,7 +132,7 @@ rule test {
rule test {
bytes:
- $a = "a"
+ $a = "a"
condition:
maxcommon($a) == 0
@@ -150,7 +150,25 @@ rule test {
rule test {
bytes:
- $a = "0000a0I0" nocase
+ $a = "0000a0I0" nocase
+
+ condition:
+ $a
+
+}
+'''
+
+ self.check_rule_failure(rule)
+
+
+ def testAAsAcharacter(self):
+ """Do not expect initialized trackers when there is no real defined search pattern."""
+
+ rule = '''
+rule test {
+
+ bytes:
+ $a = {[0]}
condition:
$a