/* * Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. * Copyright (C) 2011-2013 Sourcefire, Inc. * * Authors: Tomasz Kojm <tkojm@clamav.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. */ #if HAVE_CONFIG_H #include "clamav-config.h" #endif #include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/stat.h> #ifdef HAVE_UNISTD_H #include <unistd.h> #endif #include <time.h> #include "jpeg.h" #include "clamav.h" #define GETBYTE(v) \ if (fmap_readn(map, &v, offset, sizeof(v)) == sizeof(v)) { \ offset += sizeof(v); \ } else { \ cli_errmsg("cli_parsejpeg: Can't read file (corrupted?)\n"); \ return CL_EPARSE; \ } cl_error_t cli_parsejpeg(cli_ctx *ctx) { fmap_t *map = *ctx->fmap; unsigned char marker, prev_marker, prev_segment = 0, v1, v2, buff[8]; unsigned int offset = 0, i, len, comment = 0, segment = 0, app = 0; cli_dbgmsg("in cli_parsejpeg()\n"); if (fmap_readn(map, buff, offset, 4) != 4) return CL_SUCCESS; /* Ignore */ if (!memcmp(buff, "\xff\xd8\xff", 3)) offset = 2; else if (!memcmp(buff, "\xff\xd9\xff\xd8", 4)) offset = 4; else return CL_SUCCESS; /* Not a JPEG file */ while (1) { segment++; prev_marker = 0; for (i = 0; offset < map->len && i < 16; i++) { GETBYTE(marker); if (prev_marker == 0xff && marker != 0xff) break; prev_marker = marker; } if (i == 16) { cli_warnmsg("cli_parsejpeg: Spurious bytes before segment %u\n", segment); return CL_EPARSE; } if (offset == map->len) { cli_warnmsg("cli_parsejpeg: Error looking for marker\n"); return CL_EPARSE; } GETBYTE(v1); GETBYTE(v2); len = (unsigned int)(v1 << 8) | v2; cli_dbgmsg("JPEG: Marker %02x, length %u\n", marker, len); if (len < 2) { cli_warnmsg("cli_parsejpeg: Invalid segment size\n"); return CL_EPARSE; } if (len >= map->len - offset + 2) { cli_warnmsg("cli_parsejpeg: Segment data out of file\n"); return CL_EPARSE; } offset += len - 2; switch (marker) { case 0xe0: /* JFIF */ if (app) { cli_warnmsg("cli_parsejpeg: Duplicate Application Marker\n"); return CL_EPARSE; } if (segment != 1 && (segment != 2 || !comment)) { cli_warnmsg("cli_parsejpeg: JFIF marker at wrong position\n"); return CL_EPARSE; } if (fmap_readn(map, buff, offset - len + 2, 5) != 5 || memcmp(buff, "JFIF\0", 5)) { cli_warnmsg("cli_parsejpeg: No JFIF marker\n"); return CL_EPARSE; } if (len < 16) { cli_warnmsg("cli_parsejpeg: JFIF header too short\n"); return CL_EPARSE; } app = 0xe0; break; case 0xe1: /* EXIF */ if (fmap_readn(map, buff, offset - len + 2, 7) != 7) { cli_warnmsg("cli_parsejpeg: Can't read Exif header\n"); return CL_EPARSE; } if (!memcmp(buff, "Exif\0\0", 6)) { if (app && app != 0xe0) { cli_warnmsg("cli_parsejpeg: Duplicate Application Marker\n"); return CL_EPARSE; } if (segment > 3 && !comment && app != 0xe0) { cli_warnmsg("cli_parsejpeg: Exif marker at wrong position\n"); return CL_EPARSE; } } else if (!memcmp(buff, "http://", 7)) { cli_dbgmsg("JPEG: XMP data in segment %u\n", segment); } else { cli_warnmsg("cli_parsejpeg: Invalid Exif header\n"); return CL_EPARSE; } if (len < 16) { cli_warnmsg("cli_parsejpeg: Exif header too short\n"); return CL_EPARSE; } app = 0xe1; break; case 0xe8: /* SPIFF */ if (app) { cli_warnmsg("cli_parsejpeg: Duplicate Application Marker\n"); return CL_EPARSE; } if (segment != 1 && (segment != 2 || !comment)) { cli_warnmsg("cli_parsejpeg: SPIFF marker at wrong position\n"); return CL_EPARSE; } if (fmap_readn(map, buff, offset - len + 2, 6) != 6 || memcmp(buff, "SPIFF\0", 6)) { cli_warnmsg("cli_parsejpeg: No SPIFF marker\n"); return CL_EPARSE; } if (len < 16) { cli_warnmsg("cli_parsejpeg: SPIFF header too short\n"); return CL_EPARSE; } app = 0xe8; break; case 0xf7: /* JPG7 */ if (app) { cli_warnmsg("cli_parsejpeg: Application Marker before JPG7\n"); return CL_EPARSE; } return CL_SUCCESS; case 0xda: /* SOS */ if (!app) { cli_warnmsg("cli_parsejpeg: Invalid file structure\n"); return CL_EPARSE; } return CL_SUCCESS; case 0xd9: /* EOI */ cli_warnmsg("cli_parsejpeg: No image in jpeg\n"); return CL_EPARSE; case 0xfe: /* COM */ comment = 1; break; case 0xed: /* IPTC */ comment = 1; break; case 0xf2: /* DTT */ if (prev_segment != 0xf1) { cli_warnmsg("cli_parsejpeg: No DTI segment before DTT\n"); return CL_EPARSE; } break; default: break; } prev_segment = marker; } return CL_SUCCESS; }