Clam 2001 regex slash colon

libclamav/str.c

@@ -858,28 +858,29 @@ size_t cli_ldbtokenize(char *buffer, const char delim, const size_t token_count,
                        const char **tokens, size_t token_skip)
 {
     size_t tokens_found, i;
-    int within_pcre = 0;
-    char *start     = buffer;
+    char *start = buffer;
 
     for (tokens_found = 0; tokens_found < token_count;) {
         tokens[tokens_found++] = buffer;
 
         while (*buffer != '\0') {
-            if (!within_pcre && (*buffer == delim))
+            if (*buffer == delim) {
                 break;
-            else if ((tokens_found > token_skip) &&
-                     ((buffer > start) && (*(buffer - 1) != '\\')) &&
-                     (*buffer == '/'))
-                within_pcre = !within_pcre;
+            } else if ((tokens_found > token_skip) &&
+                       ((buffer > start) && (*(buffer - 1) != '\\')) &&
+                       (*buffer == '/')) {
+                return tokens_found;
+            }
             buffer++;
         }
 
         if (*buffer != '\0') {
             *buffer++ = '\0';
         } else {
             i = tokens_found;
-            while (i < token_count)
+            while (i < token_count) {
                 tokens[i++] = NULL;
+            }
             return tokens_found;
         }
     }

libclamav_rust/src/sys.rs

@@ -743,6 +743,7 @@ pub struct recursion_level_tag {
     pub recursion_level_buffer_fmap: u32,
     pub is_normalized_layer: bool,
     pub image_fuzzy_hash: image_fuzzy_hash_t,
+    pub calculated_image_fuzzy_hash: bool,
 }
 pub type recursion_level_t = recursion_level_tag;
 #[repr(C)]

unit_tests/clamscan_test.py

@@ -558,3 +558,61 @@ def test_clamscan_16_intermediates(self):
             'v1rusv1rus.7z.zip: 7z_zip_intermediates_bad.UNOFFICIAL FOUND',
         ]
         self.verify_output(output.out, expected=expected_stdout, unexpected=unexpected_stdout)
+
+    def test_clamscan_17_pcre_slash_colon(self):
+        self.step_name('Test LDB and Yara regex rules with / and : in the string work')
+        # This is a regression test for a bug where :'s in a PCRE regex would act
+        # as delimiters if there was also a / in the regex before the :
+
+        testfile = TC.path_tmp / 'regex-slash-colon.sample'
+        testfile.write_text('hello blee/blah: bleh')
+
+        # First test with LDB PCRE rule
+        #
+        yara_db = TC.path_tmp / 'regex-slash-colon.ldb'
+        yara_db.write_text(
+            r'regex;Engine:81-255,Target:0;1;68656c6c6f20;0/hello blee/blah: bleh/'
+        )
+        command = '{valgrind} {valgrind_args} {clamscan} -d {path_db} {testfiles}'.format(
+            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan, path_db=yara_db, testfiles=testfile,
+        )
+        output = self.execute_command(command)
+
+        assert output.ec == 1  # virus found
+
+        expected_results = [
+            'regex-slash-colon.sample: regex.UNOFFICIAL FOUND',
+            'Infected files: 1',
+        ]
+        self.verify_output(output.out, expected=expected_results)
+
+        # Second test with YARA regex rule
+        #
+        yara_db = TC.path_tmp / 'regex-slash-colon.yara'
+        yara_db.write_text(
+            r'''
+rule regex
+{
+    meta:
+        author      = "Micah"
+        date        = "2022/07/25"
+        description = "Just a test"
+    strings:
+        $b = /hello blee\/blah: bleh/
+    condition:
+        all of them
+}
+            '''
+        )
+        command = '{valgrind} {valgrind_args} {clamscan} -d {path_db} {testfiles}'.format(
+            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan, path_db=yara_db, testfiles=testfile,
+        )
+        output = self.execute_command(command)
+
+        assert output.ec == 1  # virus found
+
+        expected_results = [
+            'regex-slash-colon.sample: YARA.regex.UNOFFICIAL FOUND',
+            'Infected files: 1',
+        ]
+        self.verify_output(output.out, expected=expected_results)