No check if "yyscanner" variable has not been initialized in yylex_init()

[1ndahous3]

yylex_init() may fail to init the yyscanner variable due to memory allocation failure and will return 1:

yara/libyara/lexer.c

Lines 3279 to 3291 in 2d22a4a

	int yylex_init(yyscan_t* ptr_yy_globals)
	{
	if (ptr_yy_globals == NULL){
	errno = EINVAL;
	return 1;
	}
	*ptr_yy_globals = (yyscan_t) yyalloc ( sizeof( struct yyguts_t ), NULL );
	if (*ptr_yy_globals == NULL){
	errno = ENOMEM;
	return 1;
	}

In all yr_lex_parse_rules_*() and yr_parse_*() routines, the retcode isn't saved and/or checked:

yara/libyara/hex_lexer.l

Lines 265 to 269 in e1360f6

	yylex_init(&yyscanner);
	yyset_extra(*re_ast, yyscanner);
	yy_scan_string(hex_string, yyscanner);
	yyparse(yyscanner, &lex_env);
	yylex_destroy(yyscanner);

And later we can get a nulltpr dereference for the yyscanner variable:

Detected by the Application Verifier (Windows) with the low resource simulation feature:

[1ndahous3]

@plusvic it's important to do a full cleanup on re_ast in case of yylex_init() != 0 if the caller uses that value later.

In b47b60d you added a retcode check and yr_re_ast_destroy(*re_ast); in yr_parse_hex_string() and yr_parse_re_string() , but didn't add *re_ast = NULL;, so for example yr_parser_reduce_string_declaration() will read an invalid address in the exit step.

yara/libyara/parser.c

Lines 738 to 745 in 2d22a4a

	if (modifier.flags & STRING_FLAGS_HEXADECIMAL)
	result = yr_re_parse_hex(str->c_string, &re_ast, &re_error);
	else if (modifier.flags & STRING_FLAGS_REGEXP)
	result = yr_re_parse(str->c_string, &re_ast, &re_error);
	else
	result = yr_base64_ast_from_string(str, modifier, &re_ast, &re_error);
	if (result != ERROR_SUCCESS)

yara/libyara/parser.c

Lines 898 to 907 in 2d22a4a

	_exit:
	if (re_ast != NULL)
	yr_re_ast_destroy(re_ast);
	if (remainder_re_ast != NULL)
	yr_re_ast_destroy(remainder_re_ast);
	return result;
	}

gotcha!