From 77c39b20f8f44adfd0a4ed68e49094016ab6c012 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sat, 21 Oct 2017 10:16:30 +0200
Subject: [PATCH] detect: handle very large byte_extract'ed values in isdataat

---
 src/detect-engine-content-inspection.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/detect-engine-content-inspection.c b/src/detect-engine-content-inspection.c
index d6e355b2e3..ef878b2f65 100644
--- a/src/detect-engine-content-inspection.c
+++ b/src/detect-engine-content-inspection.c
@@ -365,7 +365,16 @@ int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx
         const DetectIsdataatData *id = (DetectIsdataatData *)smd->ctx;
         uint32_t dataat = id->dataat;
         if (id->flags & ISDATAAT_OFFSET_BE) {
-            dataat = det_ctx->bj_values[dataat];
+            uint64_t be_value = det_ctx->bj_values[dataat];
+            if (be_value >= 100000000) {
+                if ((id->flags & ISDATAAT_NEGATED) == 0) {
+                    SCLogDebug("extracted value %"PRIu64" very big: no match", be_value);
+                    goto no_match;
+                }
+                SCLogDebug("extracted value way %"PRIu64" very big: match", be_value);
+                goto match;
+            }
+            dataat = (uint32_t)be_value;
             SCLogDebug("isdataat: using value %u from byte_extract local_id %u", dataat, id->dataat);
         }