yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

yr_stopwatch_elapsed_us divide by 0

Open Tigzy opened this issue 7 years ago • 4 comments

Hey, another issue from a crash dump. sw->frequency.QuadPart happens to be 0 (for some reason). We need guard here.

image

Tigzy avatar Nov 20 '18 15:11 Tigzy

Maybe related to this: https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_large_integer#remarks

Which compiler are you using? Are compiling for 32bits or 64bits?

plusvic avatar Dec 05 '18 15:12 plusvic

Compiling for VS2015, in that case I don't remember if the dump is for x86 or x64 sorry. However the crash is on line 51 in my screen, when inspecting the variable I can see sw->frequency.QuadPart is 0.

Tigzy avatar Dec 05 '18 16:12 Tigzy

We just ran into this. In our case the problem occurred when the call to yr_arena_create failed in yr_scanner_scan_mem_blocks. When yr_arena_create fails, there is a goto _exit:

result = yr_arena_create(1048576, 0, &scanner->matches_arena);

if (result != ERROR_SUCCESS) goto _exit;

yr_stopwatch_elapsed_us is called within the _exit block even though the stopwatch wasn't yet initialized which leads to the divide by zero since frequency was not set. There may be other cases like this as well

rspeaker avatar Dec 31 '19 18:12 rspeaker

@rspeaker, the issue you mentioned was fixed in https://github.com/VirusTotal/yara/commit/be3b77b633e2d1ab6fb3292044519e0b36ebaab1

plusvic avatar Jan 07 '20 09:01 plusvic