git-svn: trunk@1855
Tomasz Kojm authored on 2006/03/11 00:11:38... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Fri Mar 10 16:08:25 CET 2006 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav/matcher.c: properly handle partial reads in cli_scandesc() |
|
4 |
+ |
|
1 | 5 |
Wed Mar 8 16:05:44 GMT 2006 (njh) |
2 | 6 |
---------------------------------- |
3 | 7 |
* libclamav/pdf.c: Fix potential DoS discovered in Vector Data Adobe |
... | ... |
@@ -277,9 +277,8 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off |
277 | 277 |
int cli_scandesc(int desc, cli_ctx *ctx, unsigned short otfrec, unsigned short ftype, struct cli_matched_type **ftoffset) |
278 | 278 |
{ |
279 | 279 |
char *buffer, *buff, *endbl, *pt; |
280 |
- int bytes, buffsize, length, ret, *gpartcnt, *tpartcnt; |
|
281 |
- int type = CL_CLEAN, i, tid = 0; |
|
282 |
- unsigned int maxpatlen; |
|
280 |
+ int ret, *gpartcnt, *tpartcnt, type = CL_CLEAN, i, tid = 0; |
|
281 |
+ unsigned int bytes, buffersize, length, maxpatlen, shift = 0; |
|
283 | 282 |
unsigned long int *gpartoff, *tpartoff, offset = 0; |
284 | 283 |
MD5_CTX md5ctx; |
285 | 284 |
unsigned char digest[16]; |
... | ... |
@@ -311,9 +310,9 @@ int cli_scandesc(int desc, cli_ctx *ctx, unsigned short otfrec, unsigned short f |
311 | 311 |
maxpatlen = groot->maxpatlen; |
312 | 312 |
|
313 | 313 |
/* prepare the buffer */ |
314 |
- buffsize = maxpatlen + SCANBUFF; |
|
315 |
- if(!(buffer = (char *) cli_calloc(buffsize, sizeof(char)))) { |
|
316 |
- cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d)\n", buffsize); |
|
314 |
+ buffersize = maxpatlen + SCANBUFF; |
|
315 |
+ if(!(buffer = (char *) cli_calloc(buffersize, sizeof(char)))) { |
|
316 |
+ cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d)\n", buffersize); |
|
317 | 317 |
return CL_EMEM; |
318 | 318 |
} |
319 | 319 |
|
... | ... |
@@ -361,14 +360,14 @@ int cli_scandesc(int desc, cli_ctx *ctx, unsigned short otfrec, unsigned short f |
361 | 361 |
*/ |
362 | 362 |
|
363 | 363 |
pt = buff; |
364 |
- length = SCANBUFF; |
|
365 |
- while((bytes = cli_readn(desc, buff, SCANBUFF)) > 0) { |
|
364 |
+ while((bytes = cli_readn(desc, buff + shift, SCANBUFF - shift)) > 0) { |
|
366 | 365 |
|
367 | 366 |
if(ctx->scanned) |
368 | 367 |
*ctx->scanned += bytes / CL_COUNT_PRECISION; |
369 | 368 |
|
370 |
- if(bytes < SCANBUFF) |
|
371 |
- length -= SCANBUFF - bytes; |
|
369 |
+ length = shift + bytes; |
|
370 |
+ if(pt == buffer) |
|
371 |
+ length += maxpatlen; |
|
372 | 372 |
|
373 | 373 |
if(troot) { |
374 | 374 |
if(troot->ac_only || (ret = cli_bm_scanbuff(pt, length, ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS) |
... | ... |
@@ -411,20 +410,24 @@ int cli_scandesc(int desc, cli_ctx *ctx, unsigned short otfrec, unsigned short f |
411 | 411 |
type = ret; |
412 | 412 |
} |
413 | 413 |
|
414 |
- if(bytes == SCANBUFF) { |
|
414 |
+ if(ctx->engine->md5_hlist) |
|
415 |
+ MD5_Update(&md5ctx, buff + shift, bytes); |
|
416 |
+ |
|
417 |
+ if(bytes + shift == SCANBUFF) { |
|
415 | 418 |
memmove(buffer, endbl, maxpatlen); |
419 |
+ offset += SCANBUFF; |
|
416 | 420 |
|
417 |
- if(pt == buffer) { |
|
418 |
- offset += SCANBUFF; |
|
419 |
- } else { |
|
420 |
- offset += SCANBUFF - maxpatlen; |
|
421 |
+ if(pt == buff) { |
|
421 | 422 |
pt = buffer; |
422 |
- length = buffsize; |
|
423 |
+ offset -= maxpatlen; |
|
423 | 424 |
} |
425 |
+ |
|
426 |
+ shift = 0; |
|
427 |
+ |
|
428 |
+ } else { |
|
429 |
+ shift += bytes; |
|
424 | 430 |
} |
425 | 431 |
|
426 |
- if(ctx->engine->md5_hlist) |
|
427 |
- MD5_Update(&md5ctx, buff, bytes); |
|
428 | 432 |
} |
429 | 433 |
|
430 | 434 |
free(buffer); |