From e9973fbbde3e4c15e92fb7903fa587e71f6741d0 Mon Sep 17 00:00:00 2001 From: munzzyy Date: Fri, 10 Jul 2026 14:17:37 -0500 Subject: [PATCH] docs: document the YR_RE_SCAN_LIMIT regular expression scan limit --- docs/writingrules.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/writingrules.rst b/docs/writingrules.rst index bdad0191e0..439fae40c0 100644 --- a/docs/writingrules.rst +++ b/docs/writingrules.rst @@ -717,6 +717,16 @@ Starting with version 3.3.0 these zero-width assertions are also recognized: * - ``\B`` - Match except at a word boundary +.. warning:: The regular expression engine scans a limited amount of data + while evaluating a match. This limit is 4096 bytes by default and is + controlled by the ``YR_RE_SCAN_LIMIT`` constant defined in + *libyara/include/yara/limits.h*. A match that would require scanning + beyond this limit is not reported and no error is raised, which usually + shows up with wildcards or large repetitions: a regular expression like + ``/foo.*bar/`` won't match if *foo* and *bar* are separated by more than + 4096 bytes. If you need a larger limit you can define + ``YR_RE_SCAN_LIMIT`` at compile time. + Private strings ---------------