@@ -1,13 +1,39 @@

 # ClamAV News

 Note: This file refers to the source tarball. Things described here may differ

- slight

+ slightly from the binary packages.

 ## 0.101.4

-An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.

+ClamAV 0.101.4 is a security patch release that addresses the following issues.

-Thanks to Martin Simmons for reporting the issue [here](https://bugzilla.clamav.net/show_bug.cgi?id=12371)

+- An out of bounds write was possible within ClamAV's NSIS bzip2 library when

+  attempting decompression in cases where the number of selectors exceeded the

+  max limit set by the library (CVE-2019-12900). The issue has been resolved

+  by respecting that limit.

+

+  Thanks to Martin Simmons for reporting the issue [here](https://bugzilla.clamav.net/show_bug.cgi?id=12371)

+

+- A workaround for the zip-bomb vulnerability patch found in 0.101.3 was

+  identified. To remediate future denial of service conditions caused by

+  excessive scan times, a scan time limit has been introduced.

+

+  The default value is 2 minutes (120000 milliseconds).

+

+  To customize the time limit:

+

+  - use the `clamscan` `--max-scantime` option

+  - use the `clamd` `MaxScanTime` config option

+

+  Libclamav users may customize the time limit using the `cl_engine_set_num`

+  function. For example:

+

+  ```c

+      cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)

+  ```

+

+  Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3

+  and reporting the issue.

 ## 0.101.3

@@ -88,7 +88,7 @@ static void scanner_thread(void *arg)

 #ifndef	_WIN32

     /* ignore all signals */

     sigfillset(&sigset);

-    /* The behavior of a process is undefined after it ignores a 

+    /* The behavior of a process is undefined after it ignores a

      * SIGFPE, SIGILL, SIGSEGV, or SIGBUS signal */

     sigdelset(&sigset, SIGFPE);

     sigdelset(&sigset, SIGILL);

@@ -552,7 +552,7 @@ static const char* parse_dispatch_cmd(client_conn_t *conn, struct fd_buf *buf, s

 		/* no more commands are accepted */

 		conn->mode = MODE_WAITREPLY;

 		/* Stop monitoring this FD, it will be closed either

-		 * by us, or by the scanner thread. 

+		 * by us, or by the scanner thread.

 		 * Never close a file descriptor that is being

 		 * monitored by poll()/select() from another thread,

 		 * because this can lead to subtle bugs such as:

@@ -631,7 +631,7 @@ static int handle_stream(client_conn_t *conn, struct fd_buf *buf, const struct o

     int rc;

     size_t pos = *ppos;

     size_t cmdlen;

-    

+

     logg("$mode == MODE_STREAM\n");

     /* we received some data, set readtimeout */

     time(&buf->timeout_at);

@@ -754,12 +754,25 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	memset(&options, 0, sizeof(struct cl_scan_options));

     /* set up limits */

-    if((opt = optget(opts, "MaxScanSize"))->active) {

-	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) {

-	    logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret));

-	    cl_engine_free(engine);

-	    return 1;

-	}

+    if ((opt = optget(opts, "MaxScanTime"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {

+            logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_SCANTIME, NULL);

+    if (val)

+        logg("Limits: Global time limit set to %llu milliseconds.\n", val);

+    else

+        logg("^Limits: Global time limit protection disabled.\n");

+

+    if ((opt = optget(opts, "MaxScanSize"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) {

+            logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

     }

     val = cl_engine_get_num(engine, CL_ENGINE_MAX_SCANSIZE, NULL);

     if(val)

@@ -1016,7 +1029,7 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	/* TODO: Remove deprecated option in a future feature release */

     if (optget(opts, "ScanPE")->enabled || optget(opts, "ScanELF")->enabled) {

-        if ((optget(opts, "DetectBrokenExecutables")->enabled) || 

+        if ((optget(opts, "DetectBrokenExecutables")->enabled) ||

 			(optget(opts, "AlertBrokenExecutables")->enabled)) {

             logg("Alerting on broken executables enabled.\n");

             options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;

@@ -1039,7 +1052,7 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     if (optget(opts, "ScanOLE2")->enabled) {

         logg("OLE2 support enabled.\n");

         options.parse |= CL_SCAN_PARSE_OLE2;

-		

+

 		/* TODO: Remove deprecated option in a future feature release */

         if ((optget(opts, "OLE2BlockMacros")->enabled) ||

         	(optget(opts, "AlertOLE2Macros")->enabled)) {

@@ -1187,7 +1200,7 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	int solaris_has_extended_stdio = 0;

 #endif

 	/* Condition to not run out of file descriptors:

-	 * MaxThreads * MaxRecursion + (MaxQueue - MaxThreads) + CLAMDFILES < RLIMIT_NOFILE 

+	 * MaxThreads * MaxRecursion + (MaxQueue - MaxThreads) + CLAMDFILES < RLIMIT_NOFILE

 	 * CLAMDFILES is 6: 3 standard FD + logfile + 2 FD for reloading the DB

 	 * */

 #ifdef C_SOLARIS

@@ -1314,12 +1327,12 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     sigdelset(&sigset, SIGHUP);

     sigdelset(&sigset, SIGPIPE);

     sigdelset(&sigset, SIGUSR2);

-    /* The behavior of a process is undefined after it ignores a 

+    /* The behavior of a process is undefined after it ignores a

      * SIGFPE, SIGILL, SIGSEGV, or SIGBUS signal */

     sigdelset(&sigset, SIGFPE);

     sigdelset(&sigset, SIGILL);

     sigdelset(&sigset, SIGSEGV);

-#ifdef SIGBUS    

+#ifdef SIGBUS

     sigdelset(&sigset, SIGBUS);

 #endif

     sigdelset(&sigset, SIGTSTP);

@@ -1663,4 +1676,4 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     logg("--- Stopped at %s", cli_ctime(&current_time, timestr, sizeof(timestr)));

     return ret;

-} 

+}

@@ -145,7 +145,7 @@ int main(int argc, char **argv)

 	    optfree(opts);

 	    return 2;

 	}

-    } else 

+    } else

 	logg_file = NULL;

     if(actsetup(opts)) {

@@ -277,6 +277,7 @@ void help(void)

     mprintf("    --nocerts                            Disable authenticode certificate chain verification in PE files\n");

     mprintf("    --dumpcerts                          Dump authenticode certificate chain in PE files\n");

     mprintf("\n");

+    mprintf("    --max-scantime=#n                    Scan time longer than this will be skipped and assumed clean\n");

     mprintf("    --max-filesize=#n                    Files larger than this will be skipped and assumed clean\n");

     mprintf("    --max-scansize=#n                    The maximum amount of data to scan for each container file (**)\n");

     mprintf("    --max-files=#n                       The maximum number of files to scan for each container file (**)\n");

@@ -340,7 +340,7 @@ static void scanfile(const char *filename, struct cl_engine *engine, const struc

             return;

         }

-#endif    

+#endif

         if(!sb.st_size) {

             if(!printinfected)

                 logg("~%s: Empty file\n", filename);

@@ -674,7 +674,7 @@ int scanmanager(const struct optstruct *opts)

     }

     cl_engine_set_clcb_virus_found(engine, clamscan_virus_found_cb);

-    

+

     if (optget(opts, "disable-cache")->enabled)

         cl_engine_set_num(engine, CL_ENGINE_DISABLE_CACHE, 1);

@@ -873,6 +873,24 @@ int scanmanager(const struct optstruct *opts)

     /* set limits */

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((opt = optget(opts, "timelimit"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));

+

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+    if ((opt = optget(opts, "max-scantime"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));

+

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+

     if((opt = optget(opts, "max-scansize"))->active) {

         if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) {

             logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret));

@@ -994,15 +1012,6 @@ int scanmanager(const struct optstruct *opts)

         }

     }

-    if ((opt = optget(opts, "timelimit"))->active) {

-        if ((ret = cl_engine_set_num(engine, CL_ENGINE_TIME_LIMIT, opt->numarg))) {

-            logg("!cli_engine_set_num(CL_ENGINE_TIME_LIMIT) failed: %s\n", cl_strerror(ret));

-

-            cl_engine_free(engine);

-            return 2;

-        }

-    }

-

     if ((opt = optget(opts, "pcre-max-filesize"))->active) {

         if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, opt->numarg))) {

             logg("!cli_engine_set_num(CL_ENGINE_PCRE_MAX_FILESIZE) failed: %s\n", cl_strerror(ret));

@@ -1038,7 +1047,7 @@ int scanmanager(const struct optstruct *opts)

         options.parse |= CL_SCAN_PARSE_ARCHIVE;

     /* TODO: Remove deprecated option in a future feature release */

-    if ((optget(opts, "detect-broken")->enabled) || 

+    if ((optget(opts, "detect-broken")->enabled) ||

         (optget(opts, "alert-broken")->enabled)) {

         options.heuristic |= CL_SCAN_HEURISTIC_BROKEN;

     }

@@ -1096,7 +1105,7 @@ int scanmanager(const struct optstruct *opts)

     }

     /* TODO: Remove deprecated option in a future feature release */

-    if ((optget(opts, "block-max")->enabled) || 

+    if ((optget(opts, "block-max")->enabled) ||

         (optget(opts, "alert-exceeds-max")->enabled)) {

         options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX;

     }

@@ -85,7 +85,7 @@ Example

 # Default: no

 #OfficialDatabaseOnly no

-# The daemon can work in local mode, network mode or both. 

+# The daemon can work in local mode, network mode or both.

 # Due to security reasons we recommend the local mode.

 # Path to a local socket file the daemon will listen on.

@@ -231,7 +231,7 @@ Example

 #DetectPUA yes

 # Exclude a specific PUA category. This directive can be used multiple times.

-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 

+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for

 # the complete list of PUA categories.

 # Default: Load all categories (if DetectPUA is activated)

 #ExcludePUA NetTool

@@ -271,9 +271,9 @@ Example

 # the end of a scan. If an archive contains both a heuristically detected

 # virus/phish, and a real malware, the real malware will be reported

 #

-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 

+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses

 # differently from "real" malware.

-# If a non-heuristically-detected virus (signature-based) is found first, 

+# If a non-heuristically-detected virus (signature-based) is found first,

 # the scan is interrupted immediately, regardless of this config option.

 #

 # Default: no

@@ -475,6 +475,16 @@ Example

 # The options below protect your system against Denial of Service attacks

 # using archive bombs.

+# This option sets the maximum amount of time to a scan may take.

+# In this version, this field only affects the scan time of ZIP archives.

+# Value of 0 disables the limit

+# Note: disabling this limit or setting it too high may result allow scanning

+# of certain files to lock up the scanning process/threads resulting in a Denial

+# of Service.

+# Time is in milliseconds.

+# Default: 120000

+#MaxScanTime 300000

+

 # This option sets the maximum amount of data to be scanned for each input

 # file.

 # Archives and other containers are recursively extracted and scanned up to

@@ -697,7 +707,7 @@ Example

 ## Bytecode

 ##

-# With this option enabled ClamAV will load bytecode from the database. 

+# With this option enabled ClamAV will load bytecode from the database.

 # It is highly recommended you keep this option on, otherwise you'll miss

 # detections for many new viruses.

 # Default: yes

@@ -721,7 +731,7 @@ Example

 #BytecodeSecurity TrustSigned

 # Set bytecode timeout in milliseconds.

-# 

+#

 # Default: 5000

 # BytecodeTimeout 1000

@@ -298,7 +298,7 @@ enum cl_engine_field {

     CL_ENGINE_MAX_PARTITIONS,       /* uint32_t */

     CL_ENGINE_MAX_ICONSPE,          /* uint32_t */

     CL_ENGINE_MAX_RECHWP3,          /* uint32_t */

-    CL_ENGINE_TIME_LIMIT,           /* uint32_t */

+    CL_ENGINE_MAX_SCANTIME,         /* uint32_t */

     CL_ENGINE_PCRE_MATCH_LIMIT,     /* uint64_t */

     CL_ENGINE_PCRE_RECMATCH_LIMIT,  /* uint64_t */

     CL_ENGINE_PCRE_MAX_FILESIZE,    /* uint64_t */

@@ -31,6 +31,7 @@

 #define CLI_DEFAULT_BM_OFFMODE_FSIZE	262144

+#define CLI_DEFAULT_MAXSCANTIME     120000

 #define CLI_DEFAULT_MAXSCANSIZE	    104857600

 #define CLI_DEFAULT_MAXFILESIZE	    26214400

 #define CLI_DEFAULT_MAXRECLEVEL	    16

@@ -687,6 +687,12 @@ int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **

         /* if the global flag is set, loop through the scanning */

         do {

+            if (cli_checktimelimit(ctx) != CL_SUCCESS) {

+                cli_dbgmsg("cli_unzip: Time limit reached (max: %u)\n", ctx->engine->maxscantime);

+                ret = CL_ETIMEOUT;

+                break;

+            }

+

             /* reset the match results */

             if ((ret = cli_pcre_results_reset(&p_res, pd)) != CL_SUCCESS)

                 break;

@@ -262,7 +262,7 @@ const char *cl_strerror(int clerror)

 	case CL_EMEM:

 	    return "Can't allocate memory";

 	case CL_ETIMEOUT:

-	    return "Time limit reached";

+	    return "CL_ETIMEOUT: Time limit reached";

 	/* internal (needed for debug messages) */

 	case CL_EMAXREC:

 	    return "CL_EMAXREC";

@@ -324,6 +324,7 @@ struct cl_engine *cl_engine_new(void)

     }

     /* Setup default limits */

+    new->maxscantime = CLI_DEFAULT_MAXSCANTIME;

     new->maxscansize = CLI_DEFAULT_MAXSCANSIZE;

     new->maxfilesize = CLI_DEFAULT_MAXFILESIZE;

     new->maxreclevel = CLI_DEFAULT_MAXRECLEVEL;

@@ -616,9 +617,9 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long

 	case CL_ENGINE_MAX_RECHWP3:

 	    engine->maxrechwp3 = (uint32_t)num;

 	    break;

-	case CL_ENGINE_TIME_LIMIT:

-	    engine->time_limit = (uint32_t)num;

-	    break;

+    case CL_ENGINE_MAX_SCANTIME:

+        engine->maxscantime = (uint32_t)num;

+        break;

 	case CL_ENGINE_PCRE_MATCH_LIMIT:

 	    engine->pcre_match_limit = (uint64_t)num;

 	    break;

@@ -717,8 +718,8 @@ long long cl_engine_get_num(const struct cl_engine *engine, enum cl_engine_field

 	    return engine->maxiconspe;

     case CL_ENGINE_MAX_RECHWP3:

 	    return engine->maxrechwp3;

-	case CL_ENGINE_TIME_LIMIT:

-            return engine->time_limit;

+    case CL_ENGINE_MAX_SCANTIME:

+        return engine->maxscantime;

 	case CL_ENGINE_PCRE_MATCH_LIMIT:

 	    return engine->pcre_match_limit;

 	case CL_ENGINE_PCRE_RECMATCH_LIMIT:

@@ -798,6 +799,7 @@ struct cl_settings *cl_engine_settings_copy(const struct cl_engine *engine)

     settings->ac_maxdepth = engine->ac_maxdepth;

     settings->tmpdir = engine->tmpdir ? strdup(engine->tmpdir) : NULL;

     settings->keeptmp = engine->keeptmp;

+    settings->maxscantime = engine->maxscantime;

     settings->maxscansize = engine->maxscansize;

     settings->maxfilesize = engine->maxfilesize;

     settings->maxreclevel = engine->maxreclevel;

@@ -852,6 +854,7 @@ int cl_engine_settings_apply(struct cl_engine *engine, const struct cl_settings

     engine->ac_mindepth = settings->ac_mindepth;

     engine->ac_maxdepth = settings->ac_maxdepth;

     engine->keeptmp = settings->keeptmp;

+    engine->maxscantime = settings->maxscantime;

     engine->maxscansize = settings->maxscansize;

     engine->maxfilesize = settings->maxfilesize;

     engine->maxreclevel = settings->maxreclevel;

@@ -940,8 +943,9 @@ void cli_check_blockmax(cli_ctx *ctx, int rc)

     }

 }

-int cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned long need2, unsigned long need3) {

-    int ret = CL_SUCCESS;

+cl_error_t cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned long need2, unsigned long need3)

+{

+    cl_error_t ret = CL_SUCCESS;

     unsigned long needed;

     /* if called without limits, go on, unpack, scan */

@@ -950,6 +954,9 @@ int cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned

     needed = (need1>need2)?need1:need2;

     needed = (needed>need3)?needed:need3;

+    /* Enforce timelimit */

+    ret = cli_checktimelimit(ctx);

+

     /* if we have global scan limits */

     if(needed && ctx->engine->maxscansize) {

         /* if the remaining scansize is too small... */

@@ -978,8 +985,9 @@ int cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned

     return ret;

 }

-int cli_updatelimits(cli_ctx *ctx, unsigned long needed) {

-    int ret=cli_checklimits("cli_updatelimits", ctx, needed, 0, 0);

+cl_error_t cli_updatelimits(cli_ctx *ctx, unsigned long needed)

+{

+    cl_error_t ret = cli_checklimits("cli_updatelimits", ctx, needed, 0, 0);

     if (ret != CL_CLEAN) return ret;

     ctx->scannedfiles++;

@@ -989,18 +997,33 @@ int cli_updatelimits(cli_ctx *ctx, unsigned long needed) {

     return CL_CLEAN;

 }

-int cli_checktimelimit(cli_ctx *ctx)

+/**

+ * @brief Check if we've exceeded the time limit.

+ * If ctx is NULL, there can be no timelimit so just return success.

+ *

+ * @param ctx         The scanning context.

+ * @return cl_error_t CL_SUCCESS if has not exceeded, CL_ETIMEOUT if has exceeded.

+ */

+cl_error_t cli_checktimelimit(cli_ctx *ctx)

 {

+    cl_error_t ret = CL_SUCCESS;

+

+    if (NULL == ctx) {

+        goto done;

+    }

+

     if (ctx->time_limit.tv_sec != 0) {

         struct timeval now;

         if (gettimeofday(&now, NULL) == 0) {

-            if (now.tv_sec < ctx->time_limit.tv_sec)

-                return CL_SUCCESS;

-            if (now.tv_sec > ctx->time_limit.tv_sec || now.tv_usec > ctx->time_limit.tv_usec)

-                return CL_ETIMEOUT;

+            if (now.tv_sec > ctx->time_limit.tv_sec)

+                ret = CL_ETIMEOUT;

+            else if (now.tv_sec == ctx->time_limit.tv_sec && now.tv_usec > ctx->time_limit.tv_usec)

+                ret = CL_ETIMEOUT;

         }

     }

-    return CL_SUCCESS;

+

+done:

+    return ret;

 }

 /*

@@ -1078,7 +1101,7 @@ int cli_unlink(const char* pathname)

 {

     if (unlink(pathname) == -1) {

 #ifdef _WIN32

-        /* Windows may fail to unlink a file if it is marked read-only, 

+        /* Windows may fail to unlink a file if it is marked read-only,

 		 * even if the user has permissions to delete the file. */

         if (-1 == _chmod(pathname, _S_IWRITE)) {

             char err[128];

@@ -1105,7 +1128,7 @@ void cli_virus_found_cb(cli_ctx * ctx)

         ctx->engine->cb_virus_found(fmap_fd(*ctx->fmap), (const char *)*ctx->virname, ctx->cb_ctx);

 }

-int cli_append_possibly_unwanted(cli_ctx * ctx, const char * virname)

+cl_error_t cli_append_possibly_unwanted(cli_ctx *ctx, const char *virname)

 {

     if (SCAN_ALLMATCHES)

         return cli_append_virus(ctx, virname);

@@ -1128,7 +1151,7 @@ int cli_append_virus(cli_ctx * ctx, const char * virname)

     if (!SCAN_ALLMATCHES && ctx->num_viruses != 0)

         if (SCAN_HEURISTIC_PRECEDENCE)

             return CL_CLEAN;

-    if (ctx->limit_exceeded == 0 || SCAN_ALLMATCHES) { 

+    if (ctx->limit_exceeded == 0 || SCAN_ALLMATCHES) {

         ctx->num_viruses++;

         *ctx->virname = virname;

         cli_virus_found_cb(ctx);

@@ -1225,7 +1248,7 @@ int

 cli_rmdirs(const char *name)

 {

 	int rc;

-	STATBUF statb;	

+	STATBUF statb;

 	DIR *dd;

 	struct dirent *dent;

 #if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)

@@ -1288,7 +1311,7 @@ cli_rmdirs(const char *name)

 	return -1;

     }

-    return rc;	

+    return rc;

 }

 #else

 int cli_rmdirs(const char *dirname)

@@ -1367,7 +1390,7 @@ int cli_rmdirs(const char *dirname)

 	    rewinddir(dd);

 	}

-    } else { 

+    } else {

 	return -1;

     }

@@ -1397,7 +1420,7 @@ static unsigned long nearest_power(unsigned long num)

 bitset_t *cli_bitset_init(void)

 {

 	bitset_t *bs;

-	

+

 	bs = cli_malloc(sizeof(bitset_t));

 	if (!bs) {

         cli_errmsg("cli_bitset_init: Unable to allocate memory for bs %llu\n", (long long unsigned)sizeof(bitset_t));

@@ -1428,7 +1451,7 @@ static bitset_t *bitset_realloc(bitset_t *bs, unsigned long min_size)

 {

 	unsigned long new_length;

 	unsigned char *new_bitset;

-	

+

 	new_length = nearest_power(min_size);

 	new_bitset = (unsigned char *) cli_realloc(bs->bitset, new_length);

 	if (!new_bitset) {

@@ -1443,7 +1466,7 @@ static bitset_t *bitset_realloc(bitset_t *bs, unsigned long min_size)

 int cli_bitset_set(bitset_t *bs, unsigned long bit_offset)

 {

 	unsigned long char_offset;

-	

+

 	char_offset = bit_offset / BITS_PER_CHAR;

 	bit_offset = bit_offset % BITS_PER_CHAR;

@@ -1460,11 +1483,11 @@ int cli_bitset_set(bitset_t *bs, unsigned long bit_offset)

 int cli_bitset_test(bitset_t *bs, unsigned long bit_offset)

 {

 	unsigned long char_offset;

-	

+

 	char_offset = bit_offset / BITS_PER_CHAR;

 	bit_offset = bit_offset % BITS_PER_CHAR;

-	if (char_offset >= bs->length) {	

+	if (char_offset >= bs->length) {

 		return FALSE;

 	}

 	return (bs->bitset[char_offset] & ((unsigned char)1 << bit_offset));

@@ -286,6 +286,7 @@ struct cl_engine {

     uint64_t engine_options;

     /* Limits */

+    uint32_t maxscantime;  /* Time limit (in milliseconds) */

     uint64_t maxscansize;  /* during the scanning of archives this size

 				     * will never be exceeded

 				     */

@@ -405,9 +406,6 @@ struct cl_engine {

     uint32_t maxiconspe; /* max number of icons to scan for PE */

     uint32_t maxrechwp3; /* max recursive calls for HWP3 parsing */

-    /* millisecond time limit for preclassification scanning */

-    uint32_t time_limit;

-

     /* PCRE matching limitations */

     uint64_t pcre_match_limit;

     uint64_t pcre_recmatch_limit;

@@ -429,6 +427,7 @@ struct cl_settings {

     uint32_t ac_maxdepth;

     char *tmpdir;

     uint32_t keeptmp;

+    uint32_t maxscantime;

     uint64_t maxscansize;

     uint64_t maxfilesize;

     uint32_t maxreclevel;

@@ -811,21 +810,20 @@ cl_error_t cli_gentempfd_with_prefix(const char* dir, char* prefix, char** name,

 unsigned int cli_rndnum(unsigned int max);

 int cli_filecopy(const char *src, const char *dest);

-int cli_mapscan(fmap_t *map, off_t offset, size_t size, cli_ctx *ctx, cli_file_t type);

 bitset_t *cli_bitset_init(void);

 void cli_bitset_free(bitset_t *bs);

 int cli_bitset_set(bitset_t *bs, unsigned long bit_offset);

 int cli_bitset_test(bitset_t *bs, unsigned long bit_offset);

 const char* cli_ctime(const time_t *timep, char *buf, const size_t bufsize);

 void cli_check_blockmax(cli_ctx *, int);

-int cli_checklimits(const char *, cli_ctx *, unsigned long, unsigned long, unsigned long);

-int cli_updatelimits(cli_ctx *, unsigned long);

+cl_error_t cli_checklimits(const char *, cli_ctx *, unsigned long, unsigned long, unsigned long);

+cl_error_t cli_updatelimits(cli_ctx *, unsigned long);

 unsigned long cli_getsizelimit(cli_ctx *, unsigned long);

 int cli_matchregex(const char *str, const char *regex);

 void cli_qsort(void *a, size_t n, size_t es, int (*cmp)(const void *, const void *));

 void cli_qsort_r(void *a, size_t n, size_t es, int (*cmp)(const void*, const void *, const void *), void *arg);

-int cli_checktimelimit(cli_ctx *ctx);

-int cli_append_possibly_unwanted(cli_ctx * ctx, const char * virname);

+cl_error_t cli_checktimelimit(cli_ctx *ctx);

+cl_error_t cli_append_possibly_unwanted(cli_ctx *ctx, const char *virname);

 /* symlink behaviour */

 #define CLI_FTW_FOLLOW_FILE_SYMLINK 0x01

@@ -3743,7 +3743,6 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

             case CL_ETMPFILE:

             case CL_ETMPDIR:

             case CL_EMEM:

-            case CL_ETIMEOUT:

                 cli_dbgmsg("Descriptor[%d]: cli_scanraw error %s\n", fmap_fd(*ctx->fmap), cl_strerror(res));

                 cli_bitset_free(ctx->hook_lsig_matches);

                 ctx->hook_lsig_matches = old_hook_lsig_matches;

@@ -3756,7 +3755,15 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

                 cli_bitset_free(ctx->hook_lsig_matches);

                 ctx->hook_lsig_matches = old_hook_lsig_matches;

                 return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);

-            /* "MAX" conditions should still fully scan the current file */

+            /* The CL_ETIMEOUT "MAX" condition should set exceeds max flag and exit out quietly. */

+            case CL_ETIMEOUT:

+                cli_check_blockmax(ctx, ret);

+                cli_bitset_free(ctx->hook_lsig_matches);

+                ctx->hook_lsig_matches = old_hook_lsig_matches;

+                cli_dbgmsg("Descriptor[%d]: Stopping after cli_scanraw reached %s\n",

+                            fmap_fd(*ctx->fmap), cl_strerror(res));

+                return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);

+            /* All other "MAX" conditions should still fully scan the current file */

             case CL_EMAXREC:

             case CL_EMAXSIZE:

             case CL_EMAXFILES:

@@ -3820,14 +3827,16 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

     switch (ret)

     {

-    /* Malformed file cases */

-    case CL_EFORMAT:

-    case CL_EREAD:

-    case CL_EUNPACK:

     /* Limits exceeded */

+    case CL_ETIMEOUT:

     case CL_EMAXREC:

     case CL_EMAXSIZE:

     case CL_EMAXFILES:

+        cli_check_blockmax(ctx, ret);

+    /* Malformed file cases */

+    case CL_EFORMAT:

+    case CL_EREAD:

+    case CL_EUNPACK:

         cli_dbgmsg("Descriptor[%d]: %s\n", fmap_fd(*ctx->fmap), cl_strerror(ret));

 #if HAVE_JSON

         ctx->wrkproperty = parent_property;

@@ -3868,7 +3877,7 @@ static cl_error_t cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx

         status = CL_ESTAT;

         cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);

-        goto done;  

+        goto done;

     }

     if (sb.st_size <= 5)

     {

@@ -3876,7 +3885,7 @@ static cl_error_t cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx

         status = CL_CLEAN;

         cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);

-        goto done;  

+        goto done;

     }

     ctx->fmap++;

@@ -3889,7 +3898,7 @@ static cl_error_t cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx

         status = CL_EMEM;

         cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);

-        goto done;  

+        goto done;

     }

     perf_stop(ctx, PERFT_MAP);

@@ -4144,12 +4153,12 @@ static cl_error_t scan_common(int desc, cl_fmap_t *map, const char * filepath, c

     }

     perf_init(&ctx);

-    if (ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && ctx.engine->time_limit != 0)

+    if (ctx.engine->maxscantime != 0)

     {

         if (gettimeofday(&ctx.time_limit, NULL) == 0)

         {

-            uint32_t secs = ctx.engine->time_limit / 1000;

-            uint32_t usecs = (ctx.engine->time_limit % 1000) * 1000;

+            uint32_t secs = ctx.engine->maxscantime / 1000;

+            uint32_t usecs = (ctx.engine->maxscantime % 1000) * 1000;

             ctx.time_limit.tv_sec += secs;

             ctx.time_limit.tv_usec += usecs;

             if (ctx.time_limit.tv_usec >= 1000000)

@@ -4161,7 +4170,7 @@ static cl_error_t scan_common(int desc, cl_fmap_t *map, const char * filepath, c

         else

         {

             char buf[64];

-            cli_dbgmsg("scan_common; gettimeofday error: %s\n", cli_strerror(errno, buf, 64));

+            cli_dbgmsg("scan_common: gettimeofday error: %s\n", cli_strerror(errno, buf, 64));

         }

     }

@@ -777,6 +777,11 @@ int cli_unzip(cli_ctx *ctx) {

 	      cli_dbgmsg("cli_unzip: Files limit reached (max: %u)\n", ctx->engine->maxfiles);

 	      ret=CL_EMAXFILES;

 	  }

+

+    if (cli_checktimelimit(ctx) != CL_SUCCESS) {

+        cli_dbgmsg("cli_unzip: Time limit reached (max: %u)\n", ctx->engine->maxscantime);

+        ret = CL_ETIMEOUT;

+    }

     /*

      * Detect overlapping files and zip bombs.

      */

@@ -288,13 +288,13 @@ const struct clam_option __clam_options[] = {

     /* Scan options */

     { "Bytecode", "bytecode", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.", "yes" },

-    { "BytecodeSecurity", NULL, 0, CLOPT_TYPE_STRING, "^(TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD, 

+    { "BytecodeSecurity", NULL, 0, CLOPT_TYPE_STRING, "^(TrustSigned|Paranoid)$", -1, "TrustSigned", 0, OPT_CLAMD,

 	"Set bytecode security level.\nPossible values:\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks.","TrustSigned"},

-    { "BytecodeTimeout", "bytecode-timeout", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 5000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 

+    { "BytecodeTimeout", "bytecode-timeout", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 5000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN,

 	"Set bytecode timeout in milliseconds.","5000"},

-    { "BytecodeUnsigned", "bytecode-unsigned", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 

+    { "BytecodeUnsigned", "bytecode-unsigned", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN,

 	"Allow loading bytecode from outside digitally signed .c[lv]d files.","no"},

     { "BytecodeMode", "bytecode-mode", 0, CLOPT_TYPE_STRING, "^(Auto|ForceJIT|ForceInterpreter|Test)$", -1, "Auto", FLAG_REQUIRED, OPT_CLAMD | OPT_CLAMSCAN,

@@ -366,6 +366,8 @@ const struct clam_option __clam_options[] = {

     { "ForceToDisk", "force-to-disk", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option causes memory or nested map scans to dump the content to disk.\nIf you turn on this option, more data is written to disk and is available\nwhen the leave-temps option is enabled at the cost of more disk writes.", "no" },

+    { "MaxScanTime", "max-scantime", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum amount of time a scan may take to complete.\nIn this version, this field only affects the scan time of ZIP archives.\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result allow scanning\nof certain files to lock up the scanning process/threads resulting in a Denial of Service.\nThe value is in milliseconds.", "120000"},

+

     { "MaxScanSize", "max-scansize", 0, CLOPT_TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXSCANSIZE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum amount of data to be scanned for each input file.\nArchives and other containers are recursively extracted and scanned up to this\nvalue.\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result in severe\ndamage.", "100M" },

     { "MaxFileSize", "max-filesize", 0, CLOPT_TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXFILESIZE, NULL, 0, OPT_CLAMD | OPT_MILTER | OPT_CLAMSCAN, "Files/messages larger than this limit won't be scanned. Affects the input\nfile itself as well as files contained inside it (when the input file is\nan archive, a document or some other kind of container).\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result in severe\ndamage to the system.", "25M" },

@@ -391,8 +393,6 @@ const struct clam_option __clam_options[] = {

     { "MaxRecHWP3", "max-rechwp3", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_MAXRECHWP3, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum recursive calls to HWP3 parsing function.\nHWP3 files using more than this limit will be terminated and alert the user.\nScans will be unable to scan any HWP3 attachments if the recursive limit is reached.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "16" },

-    { "TimeLimit", "timelimit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMSCAN, "This clamscan option is currently for testing only. It sets the engine parameter CL_ENGINE_TIME_LIMIT. The value is in milliseconds.", "0" },

-

     { "PCREMatchLimit", "pcre-match-limit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_PCRE_MATCH_LIMIT, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum calls to the PCRE match function during an instance of regex matching.\nInstances using more than this limit will be terminated and alert the user but the scan will continue.\nFor more information on match_limit, see the PCRE documentation.\nNegative values are not allowed.\nWARNING: setting this limit too high may severely impact performance.", "100000" },

     { "PCRERecMatchLimit", "pcre-recmatch-limit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_PCRE_RECMATCH_LIMIT, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.\nInstances using more than this limit will be terminated and alert the user but the scan will continue.\nFor more information on match_limit_recursion, see the PCRE documentation.\nNegative values are not allowed and values > PCREMatchLimit are superfluous.\nWARNING: setting this limit too high may severely impact performance.", "5000" },

@@ -491,6 +491,7 @@ const struct clam_option __clam_options[] = {

     /* Deprecated options */

+    { "TimeLimit", "timelimit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to set the max-scantime.\nThe value is in milliseconds.", "120000"},

     { "DetectBrokenExecutables", "detect-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on broken PE and ELF executable files.", "no" },

     { "AlgorithmicDetection", "algorithmic-detection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Deprecated option to enable heuristic alerts (e.g. \"Heuristics.<sig name>\")", "no" },

     { "BlockMax", "block-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "", "" },

@@ -1188,39 +1189,39 @@ struct optstruct *optadditem(const char *name, const char *arg, int verbose, int

 	long long numarg, lnumarg;

 	int regflags = REG_EXTENDED | REG_NOSUB;

     const struct clam_option *optentry = NULL;

-    

+

     if(oldopts)

         opts = oldopts;

-    

-    

+

+

     for(i = 0; ; i++) {

         optentry = &clam_options[i];

         if(!optentry->name && !optentry->longopt)

             break;

-        

+

         if(((optentry->owner & toolmask) && ((optentry->owner & toolmask) != OPT_DEPRECATED)) || (ignore && (optentry->owner & ignore))) {

             if(!oldopts && optadd(&opts, &opts_last, optentry->name, optentry->longopt, optentry->strarg, optentry->numarg, optentry->flags, i) < 0) {

                 fprintf(stderr, "ERROR: optparse: Can't register new option (not enough memory)\n");

                 optfree(opts);

                 return NULL;

             }

-            

+

         }

     }

-    

+

     if(MAX(sc, lc) > MAXCMDOPTS) {

 	    fprintf(stderr, "ERROR: optparse: (short|long)opts[] is too small\n");

 	    optfree(opts);

 	    return NULL;

 	}

-    

+

     while(1) {

         if(!name) {

             fprintf(stderr, "ERROR: Problem parsing options (name == NULL)\n");

             err = 1;

             break;

         }

-        

+

         opt = optget_i(opts, name);

         if(!opt) {

             if(verbose)

@@ -1229,13 +1230,13 @@ struct optstruct *optadditem(const char *name, const char *arg, int verbose, int

             break;

         }

         optentry = &clam_options[opt->idx];

-        

+

         if(ignore && (optentry->owner & ignore) && !(optentry->owner & toolmask)) {

             if(verbose)

                 fprintf(stderr, "WARNING: Ignoring unsupported option %s\n", opt->name);

             continue;

         }

-        

+

         if(optentry->owner & OPT_DEPRECATED) {

             if(toolmask & OPT_DEPRECATED) {

                 if(optaddarg(opts, name, "foo", 1) < 0) {

@@ -1249,11 +1250,11 @@ struct optstruct *optadditem(const char *name, const char *arg, int verbose, int

             }

             continue;

         }

-        

+

         if(optentry->regex) {

             if(!(optentry->flags & FLAG_REG_CASE))

                 regflags |= REG_ICASE;

-            

+

             if(cli_regcomp(&regex, optentry->regex, regflags)) {

                 fprintf(stderr, "ERROR: optparse: Can't compile regular expression %s for option %s\n", optentry->regex, name);

                 err = 1;

@@ -1267,15 +1268,15 @@ struct optstruct *optadditem(const char *name, const char *arg, int verbose, int

                 break;

             }

         }

-        

+

         numarg = -1;

         switch(optentry->argtype) {

             case CLOPT_TYPE_STRING:

                 if(!arg)

                     arg = optentry->strarg;

-                

+

                 break;

-                

+

             case CLOPT_TYPE_NUMBER:

                 if (arg)

                     numarg = atoi(arg);

@@ -1283,7 +1284,7 @@ struct optstruct *optadditem(const char *name, const char *arg, int verbose, int

                     numarg = 0;

                 arg = NULL;

                 break;

-                

+

             case CLOPT_TYPE_SIZE:

                 errno = 0;

                 if(arg)

@@ -1311,41 +1312,41 @@ struct optstruct *optadditem(const char *name, const char *arg, int verbose, int

                             err = 1;

                     }

                 }

-                

+

                 arg = NULL;

                 if(err) break;

                 if(errno == ERANGE) {

                     fprintf(stderr, "WARNING: Numerical value for option %s too high, resetting to 4G\n", name);

                     lnumarg = UINT_MAX;

                 }

-