Skip to content

docs: document the YR_RE_SCAN_LIMIT regular expression scan limit#2223

Open
munzzyy wants to merge 1 commit into
VirusTotal:masterfrom
munzzyy:docs-re-scan-limit
Open

docs: document the YR_RE_SCAN_LIMIT regular expression scan limit#2223
munzzyy wants to merge 1 commit into
VirusTotal:masterfrom
munzzyy:docs-re-scan-limit

Conversation

@munzzyy

@munzzyy munzzyy commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Fixes #2194.

The regexp engines cap how much data they scan at YR_RE_SCAN_LIMIT (4096 bytes, defined in libyara/include/yara/limits.h), so a match that needs more than that simply isn't reported. @plusvic pointed at the constant in the issue thread, but the limit isn't mentioned anywhere in the docs, which was the reporter's actual complaint: rules with wide wildcards fail silently and there's nothing in the manual explaining why.

This adds a warning box to the "Regular expressions" section of writingrules.rst stating the default limit, the silent-miss behavior, and that it can be raised at compile time.

Checked against HEAD (fa372eb) before writing the note:

  • built yara and ran /foo.*bar/ over a file with foo and bar 4000 bytes apart (matches) and one with them 5000 bytes apart (no match, no error, exit 0)
  • rebuilt with CPPFLAGS='-DYR_RE_SCAN_LIMIT=8192': the 5000-byte gap now matches and a 9000-byte one doesn't, so the compile-time override wording is accurate
  • sphinx-build runs with no new warnings and the box renders at the end of the regexp section

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Apparent Wildcard Limitation on Regexp Strings

1 participant