@@ -1,3 +1,8 @@

+Mon Oct 16 01:52:58 CEST 2006 (tk)

+----------------------------------

+  * libclamav/rebuildpe.c: fix possible heap overflow [IDEF1597]

+  * libclamav/chmunpack.c: fix possible crash [IDEF1736]

+

 Mon Oct 16 01:39:35 CEST 2006 (tk)

 ----------------------------------

   * freshclam: increase default ConnectTimeout to 30 secs

@@ -452,6 +452,11 @@ static int read_chunk_entries(unsigned char *chunk, uint32_t chunk_len,

 		file_e->next = NULL;

 		name_len = read_enc_int(&current, end);

+		if (((current + name_len) > end) || ((current + name_len) < chunk)) {

+			cli_dbgmsg("Bad CHM name_len detected\n");

+			free(file_e);

+			return FALSE;

+		}

 		if (name_len > 0xFFFFFF) {

 			cli_dbgmsg("CHM file name too long: %llu\n", name_len);

 			file_e->name = (unsigned char *) strdup("truncated");

@@ -122,9 +122,16 @@ char *rebuildpe(char *buffer, struct SECTION *sections, int sects, uint32_t base

   char *pefile=NULL, *curpe;

   struct IMAGE_PE_HEADER *fakepe;

+

+  if(sects > 90)

+    return NULL;

+

   for (i=0; i < sects; i++)

       datasize+=sections[i].rsz;

+  if(datasize > CLI_MAX_ALLOCATION)

+    return NULL;

+

   rawbase = 0x148+0x80+0x28*sects;

   if((pefile = (char *) cli_malloc(rawbase+datasize))) {

     memcpy(pefile, HEADERS, 0x148);

@@ -150,6 +150,7 @@ static int jpeg_check_photoshop(int fd)

 {

 	int retval;

 	unsigned char buffer[14];

+	off_t old, new;

 	if (cli_readn(fd, buffer, 14) != 14) {

 		return 0;

@@ -161,7 +162,11 @@ static int jpeg_check_photoshop(int fd)

 	cli_dbgmsg("Found Photoshop segment\n");

 	do {

+		old = lseek(fd, 0, SEEK_CUR);

 		retval = jpeg_check_photoshop_8bim(fd);

+		new = lseek(fd, 0, SEEK_CUR);

+		if(new <= old)

+			break;

 	} while (retval == 0);

 	if (retval == -1) {