fix: logic error in block scanner that causes a use-after-free.

plusvic · plusvic · commit 0d1763e6ea2a · 2026-02-05T10:13:30.000+01:00
The `finish` method in the block scanner was triggering a call to `search_for_pattern` that acceded a block of memory that could be already de-allocated. The logic has been fixed to avoid these calls to `search_for_patterns`. Closes VirusTotal#548
diff --git a/lib/src/compiler/emit.rs b/lib/src/compiler/emit.rs
@@ -1038,13 +1038,11 @@ fn emit_lazy_call_to_search_for_patterns(
             },
             |_else| {
                 _else
-                    // Call `search_for_patterns`.
+                    // Call `search_for_patterns`. This function will set
+                    // `pattern_search_done` to true before exiting.
                     .call(ctx.function_id(
                         wasm::export__search_for_patterns.mangled_name,
-                    ))
-                    // Set `pattern_search_done` to true.
-                    .i32_const(1)
-                    .global_set(ctx.wasm_symbols.pattern_search_done);
+                    ));
             },
         );
         let top = ctx.emit_search_for_pattern_stack.last_mut().unwrap();
diff --git a/lib/src/scanner/blocks.rs b/lib/src/scanner/blocks.rs
@@ -151,8 +151,12 @@ impl<'r> Scanner<'r> {
         let ctx = self.scan_context_mut();
 
         ctx.scan_state = ScanState::ScanningBlock((base, data));
+
+        ctx.set_pattern_search_done(false);
         ctx.search_for_patterns()?;
 
+        ctx.scan_state = ScanState::Idle;
+
         for (_, match_list) in ctx.pattern_matches.matches_per_pattern() {
             // Here we iterate the matches in order to gather snippets of data
             // from where the matches occurred. Notice however that we are only
diff --git a/lib/src/scanner/context.rs b/lib/src/scanner/context.rs
@@ -74,6 +74,9 @@ pub(crate) struct ScanContext<'r, 'd> {
     pub wasm_main_memory: Option<wasmtime::Memory>,
     /// WASM global variable that contains the value of `filesize`.
     pub wasm_filesize: Option<Global>,
+    /// WASM global variable that contains a boolean that indicates if
+    /// pattern search was done.
+    pub wasm_pattern_search_done: Option<Global>,
     /// Map where keys are object handles and values are objects used during
     /// the evaluation of rule conditions. Handles are opaque integer values
     /// that can be passed to and received from WASM code. Each handle identify
@@ -357,7 +360,7 @@ impl ScanContext<'_, '_> {
         obj_ref
     }
 
-    /// Get the value of the global variable `filesize`.
+    /// Gets the value of the global variable `filesize`.
     pub(crate) fn get_filesize(&mut self) -> i64 {
         self.wasm_filesize.unwrap().get(self.wasm_store_mut()).i64().unwrap()
     }
@@ -370,13 +373,22 @@ impl ScanContext<'_, '_> {
             .unwrap();
     }
 
+    /// Sets the value of the flag that indicates if the pattern search
+    /// phase was already executed.
+    pub(crate) fn set_pattern_search_done(&mut self, done: bool) {
+        self.wasm_pattern_search_done
+            .unwrap()
+            .set(self.wasm_store_mut(), Val::I32(done as i32))
+            .unwrap();
+    }
+
     /// Sets a timeout for scan operations.
     pub(crate) fn set_timeout(&mut self, timeout: Duration) -> &mut Self {
         self.scan_timeout = Some(timeout);
         self
     }
 
-    /// Invoke the main function, which evaluates the rules' conditions. It
+    /// Invokes the main function, which evaluates the rules' conditions. It
     /// calls ScanContext::search_for_patterns (which does the Aho-Corasick
     /// scanning) only if necessary.
     ///
@@ -1032,6 +1044,9 @@ impl ScanContext<'_, '_> {
             _ => unreachable!(),
         };
 
+        // Indicate that the pattern search phase was already done.
+        self.set_pattern_search_done(true);
+
         #[cfg(any(feature = "rules-profiling", feature = "logging"))]
         let scan_end = self.clock.raw();
 
@@ -1789,6 +1804,7 @@ pub fn create_wasm_store_and_ctx<'r>(
         wasm_main_memory: None,
         wasm_main_func: None,
         wasm_filesize: None,
+        wasm_pattern_search_done: None,
         module_outputs: FxHashMap::default(),
         user_provided_module_outputs: FxHashMap::default(),
         pattern_matches: PatternMatches::new(),
@@ -1915,6 +1931,7 @@ pub fn create_wasm_store_and_ctx<'r>(
     ctx.wasm_main_memory = Some(main_memory);
     ctx.wasm_main_func = Some(main_fn);
     ctx.wasm_filesize = Some(filesize);
+    ctx.wasm_pattern_search_done = Some(pattern_search_done);
 
     wasm_store
 }
diff --git a/lib/src/scanner/mod.rs b/lib/src/scanner/mod.rs
@@ -599,6 +599,9 @@ impl<'r> Scanner<'r> {
         // by the rules.
         ctx.user_provided_module_outputs.clear();
 
+        // Clear the flag that indicates that the search phase was done.
+        ctx.set_pattern_search_done(false);
+
         // Evaluate the conditions of every rule, this will call
         // `ScanContext::search_for_patterns` if necessary.
         ctx.eval_conditions()?;
diff --git a/lib/src/wasm/builder.rs b/lib/src/wasm/builder.rs
@@ -197,14 +197,7 @@ impl WasmModuleBuilder {
         );
 
         // The main function receives no arguments and returns an I32.
-        let mut main_func =
-            FunctionBuilder::new(&mut module.types, &[], &[I32]);
-
-        // The first instructions in the main function initialize the global
-        // variables `pattern_search_done`.
-        main_func.func_body().i32_const(0);
-        main_func.func_body().global_set(pattern_search_done);
-
+        let main_func = FunctionBuilder::new(&mut module.types, &[], &[I32]);
         let namespace_block = namespace_func.dangling_instr_seq(None).id();
 
         Self {
