@@ -1,3 +1,7 @@

+Tue Jul  6 04:22:02 CEST 2004 (tk)

+----------------------------------

+  * libclamav: pe: optimise UPX recognition. Respect archive limits.

+

 Tue Jul  6 01:46:41 CEST 2004 (tk)

 ----------------------------------

   * libclamav: pe, upx: add big-endian support

@@ -258,7 +258,8 @@ int cli_scanbuff(const char *buffer, unsigned int length, const char **virname,

 				if(pt->type) {

 				    if(typerec) {

 					cli_dbgmsg("Matched signature for file type: %s\n", pt->virname);

-					type = pt->type;

+					if(pt->type > type)

+					    type = pt->type;

 				    }

 				} else {

 				    if(virname)

@@ -427,29 +427,6 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

     /* UPX support */

-    /* try to detect UPX code */

-

-    if(lseek(desc, ep + 0x78, SEEK_SET) == -1) {

-	cli_dbgmsg("lseek() failed\n");

-	free(section_hdr);

-	return CL_EIO;

-    }

-

-    if(read(desc, buff, 13) != 13) {

-	cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78);

-    } else {

-	if(cli_memstr(UPX_NRV2B, 24, buff, 13)) {

-	    cli_dbgmsg("UPX: Looks like a NRV2B decompressor\n");

-	    upxfn = upx_inflate2b;

-	} else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) {

-	    cli_dbgmsg("UPX: Looks like a NRV2D decompressor\n");

-	    upxfn = upx_inflate2d;

-	} else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) {

-            cli_dbgmsg("UPX: Looks like a NRV2E decompressor\n");

-	    upxfn = upx_inflate2e;

-	}

-    }

-

     /* try to find the first section with physical size == 0 */

     found = 0;

     for(i = 0; i < nsections - 1; i++) {

@@ -478,6 +455,11 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	ssize = EC32(section_hdr[i + 1].SizeOfRawData);

 	dsize = EC32(section_hdr[i].VirtualSize) + EC32(section_hdr[i + 1].VirtualSize);

+	if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) {

+	    cli_dbgmsg("UPX: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , limits->maxfilesize);

+	    return CL_CLEAN;

+	}

+

 	/* FIXME: use file operations in case of big files */

 	if((src = (char *) cli_malloc(ssize)) == NULL) {

 	    free(section_hdr);

@@ -499,6 +481,30 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	    return CL_EIO;

 	}

+	/* try to detect UPX code */

+

+	if(lseek(desc, ep + 0x78, SEEK_SET) == -1) {

+	    cli_dbgmsg("lseek() failed\n");

+	    free(section_hdr);

+	    return CL_EIO;

+	}

+

+	if(read(desc, buff, 13) != 13) {

+	    cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78);

+	    return CL_EIO;

+	} else {

+	    if(cli_memstr(UPX_NRV2B, 24, buff, 13)) {

+		cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");

+		upxfn = upx_inflate2b;

+	    } else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) {

+		cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");

+		upxfn = upx_inflate2d;

+	    } else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) {

+		cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");

+		upxfn = upx_inflate2e;

+	    }

+	}

+

 	if(upxfn) {

 	    if(upxfn(src, ssize, dest, dsize)) {

 		cli_dbgmsg("UPX: Prefered decompressor failed\n");

@@ -75,7 +75,7 @@ extern short cli_leavetemps_flag;

 #define DISABLE_RAR	    (options & CL_DISABLERAR)

 #define DETECT_ENCRYPTED    (options & CL_ENCRYPTED)

-#define MAX_MAIL_RECURSION  10

+#define MAX_MAIL_RECURSION  15

 static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec);

@@ -967,7 +967,7 @@ static int cli_scanmail(int desc, const char **virname, long int *scanned, const

 	int ret;

-    cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", mrec, arec);

+    cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", *mrec, *arec);

     if((tmpdir = getenv("TMPDIR")) == NULL)

 #ifdef P_tmpdir