feat: support TooManyMatches callback

Author: secDre4mer

rules_callback.go

@@ -9,6 +9,11 @@ package yara
 /*
 #include <stdlib.h>
 #include <yara.h>
+
+// rules_table is part of a union and as such not reachable from go code.
+static YR_RULE* find_rule(YR_RULES* r, uint rule_idx) {
+	return &r->rules_table[rule_idx];
+}
 */
 import "C"
 import (
@@ -70,6 +75,12 @@ type ScanCallbackConsoleLog interface {
 	ConsoleLog(*ScanContext, string)
 }
 
+// ScanCallbackTooManyMatches can be used to receive information about
+// strings that match too many times.
+type ScanCallbackTooManyMatches interface {
+	TooManyMatches(*ScanContext, *Rule, string) (bool, error)
+}
+
 // scanCallbackContainer is used by to pass a ScanCallback (and
 // associated data) between ScanXxx methods and scanCallbackFunc(). It
 // stores the public callback interface and a list of malloc()'d C
@@ -147,6 +158,15 @@ func scanCallbackFunc(ctx *C.YR_SCAN_CONTEXT, message C.int, messageData, userDa
 		if c, ok := cbc.ScanCallback.(ScanCallbackConsoleLog); ok {
 			c.ConsoleLog(s, C.GoString((*C.char)(messageData)))
 		}
+	case C.CALLBACK_MSG_TOO_MANY_MATCHES:
+		if c, ok := cbc.ScanCallback.(ScanCallbackTooManyMatches); ok {
+			yrString := String{(*C.YR_STRING)(messageData), cbc.rules}
+			rule := &Rule{
+				cptr:  C.find_rule(cbc.rules.cptr, yrString.cptr.rule_idx),
+				owner: cbc.rules,
+			}
+			abort, err = c.TooManyMatches(s, rule, yrString.Identifier())
+		}
 	}
 
 	if err != nil {

rules_test.go

@@ -243,12 +243,13 @@ func TestRule(t *testing.T) {
 }
 
 type testCallback struct {
-	t          *testing.T
-	finished   bool
-	modules    map[string]struct{}
-	matched    map[string]struct{}
-	notMatched map[string]struct{}
-	logged     []string
+	t              *testing.T
+	finished       bool
+	modules        map[string]struct{}
+	matched        map[string]struct{}
+	notMatched     map[string]struct{}
+	logged         []string
+	tooManyMatches []string
 }
 
 func newTestCallback(t *testing.T) *testCallback {
@@ -258,6 +259,7 @@ func newTestCallback(t *testing.T) *testCallback {
 		make(map[string]struct{}),
 		make(map[string]struct{}),
 		nil,
+		nil,
 	}
 }
 
@@ -291,6 +293,10 @@ func (c *testCallback) ModuleImported(*ScanContext, *Object) (bool, error) {
 func (c *testCallback) ConsoleLog(_ *ScanContext, s string) {
 	c.logged = append(c.logged, s)
 }
+func (c *testCallback) TooManyMatches(_ *ScanContext, r *Rule, s string) (bool, error) {
+	c.tooManyMatches = append(c.logged, fmt.Sprintf("%s:%s", r.Identifier(), s))
+	return false, nil
+}
 
 func TestImportDataCallback(t *testing.T) {
 	cb := newTestCallback(t)
@@ -338,3 +344,17 @@ func TestConsoleCallback(t *testing.T) {
 		t.Errorf("console log does not containi expected hello world string: %v", cb.logged)
 	}
 }
+
+func TestTooManyMatches(t *testing.T) {
+	cb := newTestCallback(t)
+	r := makeRules(t, `
+		rule t { strings: $s1 = "\x00" condition: #s1 == 10000000 }
+        `)
+
+	if err := r.ScanMem(make([]byte, 10000000), 0, 0, cb); err != nil {
+		t.Error(err)
+	}
+	if len(cb.tooManyMatches) != 1 || cb.tooManyMatches[0] != "t:$s1" {
+		t.Errorf("too many matches does not contain regularly matching string: %v", cb.tooManyMatches)
+	}
+}