From 180f00f9d9a3dd2825b53080594b19e77a23d967 Mon Sep 17 00:00:00 2001 From: "Victor M. Alvarez" Date: Tue, 27 Feb 2024 16:46:42 +0100 Subject: [PATCH] fix: set a larger limit for NFA when compiling regular expressions (#86) Closes #85 --- lib/src/compiler/rules.rs | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/lib/src/compiler/rules.rs b/lib/src/compiler/rules.rs index 9a5678ed9..61336b391 100644 --- a/lib/src/compiler/rules.rs +++ b/lib/src/compiler/rules.rs @@ -206,7 +206,7 @@ impl Rules { self.rules.get(rule_id.0 as usize).unwrap() } - /// Returns an slice with the individual rules that were compiled. + /// Returns a slice with the individual rules that were compiled. #[inline] pub(crate) fn rules(&self) -> &[RuleInfo] { self.rules.as_slice() @@ -233,8 +233,8 @@ impl Rules { let re = types::Regexp::new(self.regexp_pool.get(regexp_id).unwrap()); let mut parser = regex_syntax::ast::parse::ParserBuilder::new() - // This the custom configuration option that turns-on support for - // the `{,n}`. This option doesn't exist in the official + // This is the custom configuration option that turns-on support + // for the `{,n}` syntax. This option doesn't exist in the official // `regex_syntax` crate. .empty_min_range(true) .build(); @@ -249,7 +249,18 @@ impl Rules { let hir = translator.translate(re.naked(), &ast).unwrap(); - regex_automata::meta::Builder::new().build_from_hir(&hir).unwrap() + // Set a size limit for the NFA automata. The default limit (10MB) is + // too small for certain regexps seen in YARA rules in the wild, see: + // https://github.com/VirusTotal/yara-x/issues/85 + let config = regex_automata::meta::Config::new() + .nfa_size_limit(Some(50 * 1024 * 1024)); + + regex_automata::meta::Builder::new() + .configure(config) + .build_from_hir(&hir) + .unwrap_or_else(|err| { + panic!("error compiling regex `{}`: {:#?}", re.as_str(), err) + }) } /// Returns a sub-pattern by [`SubPatternId`].