@@ -1,3 +1,7 @@

+Tue Jul 10 23:06:14 CEST 2007 (tk)

+----------------------------------

+  * libclamav: improve handling of SFX CAB archives

+

 Tue Jul 10 22:36:35 CEST 2007 (tk)

 ----------------------------------

   * libclamav/ole2_extract.c: faster handling of corrupted files (bb#561)

@@ -636,8 +636,19 @@ int cab_extract(struct cab_file *file, const char *name)

 	    }

 	    if(file->offset > 0) {

 		((struct mszip_stream *) file->state->stream)->wflag = 0;

-		mszip_decompress(file->state->stream, file->offset);

+		ret = mszip_decompress(file->state->stream, file->offset);

 		((struct mszip_stream *) file->state->stream)->wflag = 1;

+		if(ret < 0) {

+		    mszip_free(file->state->stream);

+		    memset(file->state, 0, sizeof(struct cab_state));

+		    file->state->stream = (struct mszip_stream *) mszip_init(file->fd, file->ofd, 4096, 1, file, &cab_read);

+		    if(!file->state->stream) {

+			free(file->state);

+			close(file->ofd);

+			return CL_EMSCAB;

+		    }

+                    lseek(file->fd, file->folder->offset, SEEK_SET);

+		}

 	    }

 	    ret = mszip_decompress(file->state->stream, file->length);

 	    mszip_free(file->state->stream);

@@ -670,8 +681,19 @@ int cab_extract(struct cab_file *file, const char *name)

 	    }

 	    if(file->offset > 0) {

 		((struct lzx_stream *) file->state->stream)->wflag = 0;

-		lzx_decompress(file->state->stream, file->offset);

+		ret = lzx_decompress(file->state->stream, file->offset);

 		((struct lzx_stream *) file->state->stream)->wflag = 1;

+		if(ret < 0) {

+		    lzx_free(file->state->stream);

+		    memset(file->state, 0, sizeof(struct cab_state));

+		    file->state->stream = (struct lzx_stream *) lzx_init(file->fd, file->ofd, (int) (file->folder->cmethod >> 8) & 0x1f, 0, 4096, 0, file, &cab_read);

+		    if(!file->state->stream) {

+			free(file->state);

+			close(file->ofd);

+			return CL_EMSCAB;

+		    }

+                    lseek(file->fd, file->folder->offset, SEEK_SET);

+		}

 	    }

 	    ret = lzx_decompress(file->state->stream, file->length);

 	    lzx_free(file->state->stream);

@@ -271,8 +271,13 @@ static int mszip_make_decode_table(unsigned int nsyms, unsigned int nbits,

         cli_dbgmsg("zip_inflate: out of bits in huffman decode\n");	\

         return INF_ERR_HUFFSYM;                                         \

       }                                                                 \

+      sym = (sym << 1) | ((bit_buffer >> i) & 1);			\

+      if(sym >= MSZIP_##tbl##_TABLESIZE) {				\

+	cli_dbgmsg("zip_inflate: index out of table\n");		\

+        return INF_ERR_HUFFSYM;                                         \

+      }									\

       /* double node index and add 0 (left branch) or 1 (right) */	\

-      sym = zip->tbl##_table[(sym << 1) | ((bit_buffer >> i) & 1)];	\

+      sym = zip->tbl##_table[sym];					\

       /* while we are still in node indicies, not decoded symbols */    \

     } while (sym >= MSZIP_##tbl##_MAXSYMBOLS);                          \

   }                                                                     \

@@ -798,7 +803,11 @@ static int lzx_read_input(struct lzx_stream *lzx) {

       /* double node index and add 0 (left branch) or 1 (right) */      \

       sym <<= 1; sym |= (bit_buffer & i) ? 1 : 0;                       \

       /* hop to next node index / decoded symbol */                     \

-      sym = lzx->tbl##_table[sym];                                      \

+      if(sym >= (1 << LZX_##tbl##_TABLEBITS) + (LZX_##tbl##_MAXSYMBOLS * 2)) { \

+	cli_dbgmsg("lzx: index out of table\n");			\

+	return lzx->error = CL_EFORMAT;					\

+      }									\

+      sym = lzx->tbl##_table[sym];                                    \

       /* while we are still in node indicies, not decoded symbols */    \

     } while (sym >= LZX_##tbl##_MAXSYMBOLS);                            \

   }                                                                     \