1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
Thu Dec 6 15:22:27 CET 2007 (tk)
---------------------------------
* libclamav/pe.c: fix possible integer overflow in MEW related code
Reported by iDefense [IDEF2842]
Backported by <sgran@debian.org>
SVN r3376
Index: clamav-0.91.2/libclamav/pe.c
===================================================================
--- clamav-0.91.2.orig/libclamav/pe.c
+++ clamav-0.91.2/libclamav/pe.c
@@ -80,6 +80,18 @@
#define PEALIGN(o,a) (((a))?(((o)/(a))*(a)):(o))
#define PESALIGN(o,a) (((a))?(((o)/(a)+((o)%(a)!=0))*(a)):(o))
+#define CLI_UNPSIZELIMITS(NAME,CHK) \
+if(ctx->limits && ctx->limits->maxfilesize && (CHK) > ctx->limits->maxfilesize) { \
+ cli_dbgmsg(NAME": Sizes exceeded (%lu > %lu)\n", (CHK), ctx->limits->maxfilesize); \
+ free(exe_sections); \
+ if(BLOCKMAX) { \
+ *ctx->virname = "PE."NAME".ExceededFileSize"; \
+ return CL_VIRUS; \
+ } else { \
+ return CL_CLEAN; \
+ } \
+}
+
extern short cli_leavetemps_flag;
struct offset_list {
@@ -1153,16 +1165,9 @@ int cli_scanpe(int desc, cli_ctx *ctx)
dsize = exe_sections[i].vsz;
cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
- if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || exe_sections[i + 1].rsz > ctx->limits->maxfilesize)) {
- cli_dbgmsg("MEW: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);
- free(exe_sections);
- if(BLOCKMAX) {
- *ctx->virname = "PE.MEW.ExceededFileSize";
- return CL_VIRUS;
- } else {
- return CL_CLEAN;
- }
- }
+
+ CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
+ CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
/* allocate needed buffer */
if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
|
GitWeb
