From 4de3d574bae5973c711095c1c755166c07dec322 Mon Sep 17 00:00:00 2001
From: "Victor M. Alvarez" <vmalvarez@virustotal.com>
Date: Wed, 23 Aug 2023 11:00:11 +0200
Subject: [PATCH] Fix inconsistency with `--fast-scan` option.

Some rules were not matching when the `--fast-scan` flag was used, but they should. It happened with rules that contained statements like `any of  <string_set> in <range>` or `any of <string_set> at <offset>`. With this type of expressions, the strings included in `<string_set>` can't be flagged with `STRING_FLAGS_SINGLE_MATCH` because we need to find all the occurrences of those strings. Finding only the first match is not enough because the condition can be true for some other occurrence of the string, but not with the first one..

With this change the flag `STRING_FLAGS_SINGLE_MATCH` is cleared for every string included in a string set. This is a radical way of fixing the issue, as the flag is cleared in other cases where this is not necessary, like in `any of <string_set>`, where finding the first occurrence of each string in the set is enough. But I don't want to add more complexity and correctness should prevail over performance.
---
 libyara/parser.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libyara/parser.c b/libyara/parser.c
index f536e42eac..58b2c90713 100644
--- a/libyara/parser.c
+++ b/libyara/parser.c
@@ -216,6 +216,7 @@ int yr_parser_emit_pushes_for_strings(
 
         string->flags |= STRING_FLAGS_REFERENCED;
         string->flags &= ~STRING_FLAGS_FIXED_OFFSET;
+        string->flags &= ~STRING_FLAGS_SINGLE_MATCH;
         matching++;
       }
     }