git-svn: trunk@3922
Tomasz Kojm authored on 2008/07/09 01:22:31... | ... |
@@ -1,3 +1,12 @@ |
1 |
+Tue Jul 8 17:54:19 CEST 2008 |
|
2 |
+----------------------------- |
|
3 |
+ * libclamav/petite.c: fix another out of bounds memory read (bb#1000) |
|
4 |
+ Reported by Secunia (CVE-2008-2713) |
|
5 |
+ |
|
6 |
+Tue Jul 8 17:54:12 CEST 2008 |
|
7 |
+----------------------------- |
|
8 |
+ * clamd/others.c: add missing checks for recv() failures (bb#1079) |
|
9 |
+ |
|
1 | 10 |
Tue Jul 8 14:06:05 EEST 2008 (edwin) |
2 | 11 |
------------------------------------- |
3 | 12 |
* libclamav/dconf.[ch], htmlnorm.c, jsparse/js-norm.[ch], scanners.c: |
... | ... |
@@ -362,6 +362,8 @@ int readsock(int sockfd, char *buf, size_t size, unsigned char delim, int timeou |
362 | 362 |
break; |
363 | 363 |
} |
364 | 364 |
n = recv(sockfd, buf, size, MSG_PEEK); |
365 |
+ if(n < 0) |
|
366 |
+ return -1; |
|
365 | 367 |
if(read_command) { |
366 | 368 |
if((n >= 1) && (buf[0] == 'n')) { /* Newline delimited command */ |
367 | 369 |
force_delim = 1; |
... | ... |
@@ -408,6 +410,8 @@ int readsock(int sockfd, char *buf, size_t size, unsigned char delim, int timeou |
408 | 408 |
if(n == 0) |
409 | 409 |
break; |
410 | 410 |
} |
411 |
+ if(n < 0) |
|
412 |
+ return -1; |
|
411 | 413 |
n += boff; |
412 | 414 |
if(read_command) { |
413 | 415 |
if((n >= 1) && (buf[0] == 'n')) { /* Need to strip leading 'n' from command to attain standard command */ |
... | ... |
@@ -56,7 +56,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
56 | 56 |
<BR> |
57 | 57 |
<BR> |
58 | 58 |
<DIV ALIGN="RIGHT"> |
59 |
-<BR> <BIG CLASS="HUGE">Clam AntiVirus 0.93.1 |
|
59 |
+<BR> <BIG CLASS="HUGE">Clam AntiVirus 0.93.3 |
|
60 | 60 |
<BR> <BIG CLASS="HUGE"><SPAN CLASS="textit">User Manual</SPAN> |
61 | 61 |
<BR> |
62 | 62 |
</BIG></BIG></DIV> |
... | ... |
@@ -211,7 +211,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
211 | 211 |
<BR><HR> |
212 | 212 |
<ADDRESS> |
213 | 213 |
Tomasz Kojm |
214 |
-2008-06-04 |
|
214 |
+2008-07-07 |
|
215 | 215 |
</ADDRESS> |
216 | 216 |
</BODY> |
217 | 217 |
</HTML> |
... | ... |
@@ -56,7 +56,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
56 | 56 |
<BR> |
57 | 57 |
<BR> |
58 | 58 |
<DIV ALIGN="RIGHT"> |
59 |
-<BR> <BIG CLASS="HUGE">Clam AntiVirus 0.93.1 |
|
59 |
+<BR> <BIG CLASS="HUGE">Clam AntiVirus 0.93.3 |
|
60 | 60 |
<BR> <BIG CLASS="HUGE"><SPAN CLASS="textit">User Manual</SPAN> |
61 | 61 |
<BR> |
62 | 62 |
</BIG></BIG></DIV> |
... | ... |
@@ -211,7 +211,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds |
211 | 211 |
<BR><HR> |
212 | 212 |
<ADDRESS> |
213 | 213 |
Tomasz Kojm |
214 |
-2008-06-04 |
|
214 |
+2008-07-07 |
|
215 | 215 |
</ADDRESS> |
216 | 216 |
</BODY> |
217 | 217 |
</HTML> |
... | ... |
@@ -64,11 +64,11 @@ Mathematics Department, Macquarie University, Sydney. |
64 | 64 |
The command line arguments were: <BR> |
65 | 65 |
<STRONG>latex2html</STRONG> <TT>-local_icons clamdoc.tex</TT> |
66 | 66 |
<P> |
67 |
-The translation was initiated by Tomasz Kojm on 2008-06-04 |
|
67 |
+The translation was initiated by Tomasz Kojm on 2008-07-07 |
|
68 | 68 |
<BR><HR> |
69 | 69 |
<ADDRESS> |
70 | 70 |
Tomasz Kojm |
71 |
-2008-06-04 |
|
71 |
+2008-07-07 |
|
72 | 72 |
</ADDRESS> |
73 | 73 |
</BODY> |
74 | 74 |
</HTML> |
... | ... |
@@ -1286,6 +1286,8 @@ int lzx_decompress(struct lzx_stream *lzx, off_t out_bytes) { |
1286 | 1286 |
} |
1287 | 1287 |
else { |
1288 | 1288 |
runsrc = rundest - match_offset; |
1289 |
+ if(i > (int) lzx->window_size - window_posn) |
|
1290 |
+ i = lzx->window_size - window_posn; |
|
1289 | 1291 |
while (i-- > 0) *rundest++ = *runsrc++; |
1290 | 1292 |
} |
1291 | 1293 |
|
... | ... |
@@ -1900,6 +1902,8 @@ int qtm_decompress(struct qtm_stream *qtm, off_t out_bytes) { |
1900 | 1900 |
} |
1901 | 1901 |
else { |
1902 | 1902 |
runsrc = rundest - match_offset; |
1903 |
+ if(i > (int) qtm->window_size - window_posn) |
|
1904 |
+ i = qtm->window_size - window_posn; |
|
1903 | 1905 |
while (i-- > 0) *rundest++ = *runsrc++; |
1904 | 1906 |
} |
1905 | 1907 |
window_posn += match_length; |
... | ... |
@@ -87,7 +87,7 @@ static pthread_mutex_t cli_ctime_mutex = PTHREAD_MUTEX_INITIALIZER; |
87 | 87 |
#define P_tmpdir "C:\\WINDOWS\\TEMP" |
88 | 88 |
#endif |
89 | 89 |
|
90 |
-#define CL_FLEVEL 32 /* don't touch it */ |
|
90 |
+#define CL_FLEVEL 33 /* don't touch it */ |
|
91 | 91 |
|
92 | 92 |
uint8_t cli_debug_flag = 0, cli_leavetemps_flag = 0; |
93 | 93 |
|
... | ... |
@@ -214,8 +214,14 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct cli |
214 | 214 |
/* Let's compact data */ |
215 | 215 |
for (t = 0; t < j ; t++) { |
216 | 216 |
usects[t].raw = (t>0)?(usects[t-1].raw + usects[t-1].rsz):0; |
217 |
- if (usects[t].rsz != 0 && CLI_ISCONTAINED(buf, bufsz, buf + usects[t].raw, usects[t].rsz)) |
|
218 |
- memmove(buf + usects[t].raw, adjbuf + usects[t].rva, usects[t].rsz); |
|
217 |
+ if (usects[t].rsz != 0) |
|
218 |
+ if(CLI_ISCONTAINED(buf, bufsz, buf + usects[t].raw, usects[t].rsz)) { |
|
219 |
+ memmove(buf + usects[t].raw, adjbuf + usects[t].rva, usects[t].rsz); |
|
220 |
+ } else { |
|
221 |
+ cli_dbgmsg("Petite: Skipping section %d, Raw: %x, RSize:%x\n", t, usects[t].raw, usects[t].rsz); |
|
222 |
+ usects[t].raw = t>0 ? usects[t-1].raw : 0; |
|
223 |
+ usects[t].rsz = 0; |
|
224 |
+ } |
|
219 | 225 |
} |
220 | 226 |
|
221 | 227 |
/* Showtime!!! */ |