git-svn: trunk@2677
Tomasz Kojm authored on 2007/02/08 02:13:38... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Wed Feb 7 18:11:32 CET 2007 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav: fix memory leaks in mew and unrar and use of uninitialized |
|
4 |
+ data in unrar, patch from Edwin |
|
5 |
+ |
|
1 | 6 |
Wed Feb 7 18:02:02 CET 2007 (tk) |
2 | 7 |
--------------------------------- |
3 | 8 |
* libclamav/scanners.c: fix metadata scan (bb#268), patch from Andy Fiddaman |
... | ... |
@@ -868,8 +868,9 @@ int unmew11(int sectnum, char *src, int off, int ssize, int dsize, uint32_t base |
868 | 868 |
if (!cli_rebuildpe(src, section, i, base, entry_point - base, 0, 0, filedesc)) |
869 | 869 |
{ |
870 | 870 |
cli_dbgmsg("MEW: Rebuilding failed\n"); |
871 |
+ free(section); |
|
871 | 872 |
return -1; |
872 | 873 |
} |
873 |
- |
|
874 |
+ free(section); |
|
874 | 875 |
return 1; |
875 | 876 |
} |
... | ... |
@@ -268,9 +268,14 @@ static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c |
268 | 268 |
break; |
269 | 269 |
ret = cli_unrar_checklimits(ctx, rar_state.metadata_tail, rar_state.file_count); |
270 | 270 |
if(ret && ret != CL_VIRUS) { |
271 |
+ free(rar_state.file_header->filename); |
|
272 |
+ free(rar_state.file_header); |
|
271 | 273 |
ret = CL_CLEAN; |
272 | 274 |
continue; |
273 | 275 |
} else if(ret == CL_VIRUS) { |
276 |
+ /* needed since we didn't reach unrar_extract_next to clean this up*/ |
|
277 |
+ free(rar_state.file_header->filename); |
|
278 |
+ free(rar_state.file_header); |
|
274 | 279 |
break; |
275 | 280 |
} |
276 | 281 |
ret = cli_unrar_extract_next(&rar_state,dir); |
... | ... |
@@ -435,7 +435,11 @@ int unp_read_buf(int fd, unpack_data_t *unpack_data) |
435 | 435 |
unpack_data->pack_size -= retval; |
436 | 436 |
} |
437 | 437 |
unpack_data->read_border = unpack_data->read_top - 30; |
438 |
- |
|
438 |
+ if(unpack_data->read_border < unpack_data->in_addr) { |
|
439 |
+ const ssize_t fill = unpack_data->read_top + 30 < MAX_BUF_SIZE ? 30 : MAX_BUF_SIZE - unpack_data->read_top; |
|
440 |
+ if(fill) |
|
441 |
+ memset(unpack_data->in_buf + unpack_data->read_top, 0, fill); |
|
442 |
+ } |
|
439 | 443 |
return (retval!=-1); |
440 | 444 |
} |
441 | 445 |
|