git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@628 77e5149b-7576-45b1-b177-96237e5ba77b
Trog authored on 2004/06/23 23:26:32... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Wed Jun 23 15:16:20 BST 2004 (trog) |
|
2 |
+----------------------------------- |
|
3 |
+ * libclamav/ole2_extract.c: fix possible mmap overrun. |
|
4 |
+ |
|
1 | 5 |
Tue Jun 22 18:47:32 CEST 2004 (tk) |
2 | 6 |
---------------------------------- |
3 | 7 |
* clamdscan: support multiple arguments on command line (requested by |
... | ... |
@@ -258,7 +258,7 @@ static void print_ole2_header(ole2_header_t *hdr) |
258 | 258 |
|
259 | 259 |
static int ole2_read_block(int fd, ole2_header_t *hdr, void *buff, int32_t blockno) |
260 | 260 |
{ |
261 |
- off_t offset; |
|
261 |
+ off_t offset, offend; |
|
262 | 262 |
|
263 | 263 |
if (blockno < 0) { |
264 | 264 |
return FALSE; |
... | ... |
@@ -275,7 +275,8 @@ static int ole2_read_block(int fd, ole2_header_t *hdr, void *buff, int32_t block |
275 | 275 |
return FALSE; |
276 | 276 |
} |
277 | 277 |
} else { |
278 |
- if ((offset + (1 << hdr->log2_big_block_size)) > hdr->m_length) { |
|
278 |
+ offend = offset + (1 << hdr->log2_big_block_size); |
|
279 |
+ if ((offend <= 0) || (offend > hdr->m_length)) { |
|
279 | 280 |
return FALSE; |
280 | 281 |
} |
281 | 282 |
memcpy(buff, hdr->m_area+offset, (1 << hdr->log2_big_block_size)); |
... | ... |
@@ -515,7 +516,10 @@ static void ole2_walk_property_tree(int fd, ole2_header_t *hdr, const char *dir, |
515 | 515 |
case 2: /* File */ |
516 | 516 |
if (!handler(fd, hdr, &prop_block[index], dir)) { |
517 | 517 |
cli_dbgmsg("ERROR: handler failed\n"); |
518 |
- return; |
|
518 |
+ /* If we don't return on this error then |
|
519 |
+ we can sometimes pull VBA code |
|
520 |
+ from corrupted files. |
|
521 |
+ */ |
|
519 | 522 |
} |
520 | 523 |
ole2_walk_property_tree(fd, hdr, dir, |
521 | 524 |
prop_block[index].prev, handler, rec_level, file_count+1); |