From 378f678d95ebf232095ae4812fff8cfa73506d96 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 25 Jun 2024 14:27:24 +0200
Subject: [PATCH] fuzz/detect: forbid rule with pcre only on stream

to avoid fuzzing blocks on timeouts with known bad rules

Ticket: 4858
---
 src/detect-content.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/detect-content.c b/src/detect-content.c
index 6d3852ecc56f..9625e7426d45 100644
--- a/src/detect-content.c
+++ b/src/detect-content.c
@@ -453,6 +453,25 @@ void SigParseRequiredContentSize(
  */
 bool DetectContentPMATCHValidateCallback(const Signature *s)
 {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    bool has_pcre = false;
+    bool has_content = false;
+    for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
+        if (sm->type == DETECT_PCRE) {
+            has_pcre = true;
+        } else if (sm->type == DETECT_CONTENT) {
+            has_content = true;
+            break;
+        }
+    }
+    if (has_pcre && !has_content) {
+        // Fuzzing does not allow rules with pcre and without content on payload
+        // as it is known to be a bad rule for performance causing possible timeouts
+        // Engine analysis has more generic warn_pcre_no_content about this
+        return false;
+    }
+#endif
+
     if (!(s->flags & SIG_FLAG_DSIZE)) {
         return true;
     }