From f82e9975ea778a2ffa7692e864b9ed49dd651bad Mon Sep 17 00:00:00 2001
From: Cyrille Bagard <nocbos@gmail.com>
Date: Sun, 22 Oct 2023 23:21:51 +0200
Subject: Do not expect initialized trackers when there is no real defined
 search pattern.

---
 src/analysis/scan/patterns/tokens/node.c | 13 +++++++++++++
 tests/analysis/scan/fuzzing.py           | 22 ++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/analysis/scan/patterns/tokens/node.c b/src/analysis/scan/patterns/tokens/node.c
index 604cf86..71fcf05 100644
--- a/src/analysis/scan/patterns/tokens/node.c
+++ b/src/analysis/scan/patterns/tokens/node.c
@@ -416,6 +416,17 @@ void g_scan_token_node_check_forward(const GScanTokenNode *node, GScanContext *c
 
     if (ocount > 0)
     {
+        /**
+         * Dans le cas où un unique noeud ne renvoie que vers un espace (par
+         * exemple : "$a = { [0] }"), il n'y a pas de résultats, donc pas
+         * d'initialisation.
+         *
+         * La réinitialisation des décomptes va tiquer pour cet état. La
+         * phase d'extension des résultats inexistants est ainsi sautée.
+         */
+        if (count_pending_matches(matches) == 0)
+            goto offset_done;
+
         reset_pending_matches_ttl(matches);
 
         pending_ptr = get_all_pending_matches(matches, &pcount);
@@ -447,6 +458,8 @@ void g_scan_token_node_check_forward(const GScanTokenNode *node, GScanContext *c
          */
         /* purge_pending_matches(matches); */
 
+ offset_done:
+
         disable_all_ranges_in_node_search_offset(&offset);
 
     }
diff --git a/tests/analysis/scan/fuzzing.py b/tests/analysis/scan/fuzzing.py
index c38b25c..044fe54 100644
--- a/tests/analysis/scan/fuzzing.py
+++ b/tests/analysis/scan/fuzzing.py
@@ -132,7 +132,7 @@ rule test {
 rule test {
 
    bytes:
-        $a = "a"
+      $a = "a"
 
    condition:
       maxcommon($a) == 0
@@ -150,7 +150,25 @@ rule test {
 rule test {
 
    bytes:
-        $a = "0000a0I0" nocase
+      $a = "0000a0I0" nocase
+
+   condition:
+      $a
+
+}
+'''
+
+        self.check_rule_failure(rule)
+
+
+    def testAAsAcharacter(self):
+        """Do not expect initialized trackers when there is no real defined search pattern."""
+
+        rule = '''
+rule test {
+
+   bytes:
+      $a = {[0]}
 
    condition:
       $a
-- 
cgit v0.11.2-87-g4458