`ql.mem.search` uses regular expression

[LukeSerne]

Describe the bug
ql.mem.search raises an exception for some input needles, and wrong results for other needles. This is because the needle is interpreted as a regular expression, which is not documented anywhere and quite unusual.

Sample Code

import qiling
from qiling.const import QL_ARCH

ql = qiling.Qiling(code=bytes(10), archtype=QL_ARCH.ARM, ostype='linux')

assert ql.mem.search(b"(") == []  # exception here (see below)
assert ql.mem.search(b".") == []  # wrong result (and thus assertion error) here

Real behavior

$ python main.py 
Traceback (most recent call last):
  File "main.py", line 6, in <module>
    assert ql.mem.search(b"(") == []  # exception here (see below)
  File "~/lib/python3.8/site-packages/qiling/os/memory.py", line 351, in search
    local_results = (match.start(0) + lbound for match in re.finditer(needle, haystack))
  File "/usr/lib/python3.8/re.py", line 248, in finditer
    return _compile(pattern, flags).finditer(string)
  File "/usr/lib/python3.8/re.py", line 304, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.8/sre_compile.py", line 764, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.8/sre_parse.py", line 948, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.8/sre_parse.py", line 443, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
  File "/usr/lib/python3.8/sre_parse.py", line 836, in _parse
    raise source.error("missing ), unterminated subpattern",
re.error: missing ), unterminated subpattern at position 0

Expected behavior
No exception and both assertions succeeding.

Additional context
The problem is the use of re.finditer in the below line of code. This interprets the value 40 as the character (, which in turn is interpreted as a regular expression.

qiling/qiling/os/memory.py

Line 397 in 573ce1f

local_results = (match.start(0) + lbound for match in re.finditer(needle, haystack))

This issue can be fixed by escaping the provided needle using something like needle = re.escape(needle) at some earlier part in the ql.mem.search function.

[elicn]

I am not sure I agree this is indeed a bug; that depends on the expected behavior of the search method.
If the search method is expected to accept a regular expression, then its implementation is correct. If it is expected to look for a sequence of bytes, that may be a bug.

Personally I find a sequence search much more useful than a regex one, but that's only me.
Perhaps we should support both Pattern and str, and search accordingly (I prefer less having two different methods for that). Let's see what others have to say.

[LukeSerne]

I agree. A regex search would definitely have its uses. However, it is not documented that this function interprets its needle parameter as a regular expression anywhere - not in the function name, not in the documentation and not even in comments in the source code. In addition, the parameter is described as bytes sequence to look for in the documentation. Since the needle is a bytes object and we're searching through bytes, it makes sense to assume that this function does not do "anything special" and just searches for this literal byte sequence.

If you want to support both regex and normal searches, then it would make most sense to me if there are two different functions. Perhaps ql.mem.search searches for the literal bytes, and ql.mem.search_regex searches for a regex. This way, the difference in behaviour is very explicit - it's in the function name - which prevents people from misinterpreting what the function does.