@@ -1,3 +1,7 @@

+Thu Jan  7 18:22:39 CET 2010 (tk)

+---------------------------------

+ * libclamav: base code for unified container metadata matcher (bb#1579)

+

 Tue Jan  5 12:04:47 CET 2010 (acab)

 -----------------------------------

  * libclamav/readdb.c: force VI anchored sigs into AC

@@ -636,10 +636,7 @@ fileblobScan(const fileblob *fb)

 	fflush(fb->fp);

 	lseek(fb->fd, 0, SEEK_SET);

-	fb->ctx->container_type = CL_TYPE_MAIL;

 	rc = cli_magic_scandesc(fb->fd, fb->ctx);

-	fb->ctx->container_type = 0;

-

 	if(rc == CL_VIRUS) {

 		cli_dbgmsg("%s is infected\n", fb->fullname);

 		return CL_VIRUS;

@@ -53,7 +53,7 @@ static const struct ftmap_s {

     { "CL_TYPE_TEXT_UTF16BE",	CL_TYPE_TEXT_UTF16BE	},

     { "CL_TYPE_BINARY_DATA",	CL_TYPE_BINARY_DATA	},

     { "CL_TYPE_IGNORED",	CL_TYPE_IGNORED		},

-    { "CL_TYPE_ANY",		0			}, /* for ft-sigs */

+    { "CL_TYPE_ANY",		CL_TYPE_ANY		},

     { "CL_TYPE_MSEXE",		CL_TYPE_MSEXE		},

     { "CL_TYPE_ELF",		CL_TYPE_ELF		},

     { "CL_TYPE_MACHO",		CL_TYPE_MACHO		},

@@ -32,6 +32,7 @@

 #define MAX_EMBEDDED_OBJ 10

 typedef enum {

+    CL_TYPE_ANY = 0,

     CL_TYPE_TEXT_ASCII = CL_TYPENO, /* X3.4, ISO-8859, non-ISO ext. ASCII */

     CL_TYPE_TEXT_UTF8,

     CL_TYPE_TEXT_UTF16LE,

@@ -47,6 +47,7 @@

 #include "macho.h"

 #include "fmap.h"

 #include "pe_icons.h"

+#include "regex/regex.h"

 int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata)

 {

@@ -541,3 +542,52 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli

     return (acmode & AC_SCAN_FT) ? type : CL_CLEAN;

 }

+

+int cli_matchmeta(cli_ctx *ctx, cli_file_t ftype, const char *fname, size_t fsizec, size_t fsizer, int encrypted, void *res1, void *res2)

+{

+	const struct cli_cdb *cdb;

+

+    if(!(cdb = ctx->engine->cdb))

+	return CL_CLEAN;

+

+    do {

+	if(cdb->ctype != CL_TYPE_ANY && cdb->ctype != ctx->container_type)

+	    continue;

+

+	if(cdb->ftype != CL_TYPE_ANY && cdb->ftype != ftype)

+	    continue;

+

+	if(cdb->encrypted != 2 && cdb->encrypted != encrypted)

+	    continue;

+

+	if(cdb->csize[0] != CLI_OFF_ANY) {

+	    if(cdb->csize[0] == cdb->csize[1] && cdb->csize[0] != ctx->container_size)

+		continue;

+	    else if(cdb->csize[0] != cdb->csize[1] && ((cdb->csize[0] && cdb->csize[0] > ctx->container_size) || (cdb->csize[1] && cdb->csize[1] < ctx->container_size)))

+		continue;

+	}

+

+	if(cdb->fsizec[0] != CLI_OFF_ANY) {

+	    if(cdb->fsizec[0] == cdb->fsizec[1] && cdb->fsizec[0] != fsizec)

+		continue;

+	    else if(cdb->fsizec[0] != cdb->fsizec[1] && ((cdb->fsizec[0] && cdb->fsizec[0] > fsizec) || (cdb->fsizec[1] && cdb->fsizec[1] < fsizec)))

+		continue;

+	}

+

+	if(cdb->fsizer[0] != CLI_OFF_ANY) {

+	    if(cdb->fsizer[0] == cdb->fsizer[1] && cdb->fsizer[0] != fsizer)

+		continue;

+	    else if(cdb->fsizer[0] != cdb->fsizer[1] && ((cdb->fsizer[0] && cdb->fsizer[0] > fsizer) || (cdb->fsizer[1] && cdb->fsizer[1] < fsizer)))

+		continue;

+	}

+

+	if(cdb->name.re_magic && (!fname || cli_regexec(&cdb->name, fname, 0, NULL, 0) == REG_NOMATCH))

+	    continue;

+

+	*ctx->virname = cdb->virname;

+	return CL_VIRUS;

+

+    } while((cdb = cdb->next));

+

+    return CL_CLEAN;

+}

@@ -106,6 +106,24 @@ struct cli_meta_node {

     unsigned int crc32, fileno, encrypted, maxdepth;

 };

+struct cli_cdb

+{

+    char	*virname;   /* virus name */

+    cli_file_t	ctype;	    /* container type */

+    cli_file_t	ftype;	    /* file type */

+    regex_t	name;	    /* filename regex */

+    size_t	csize[2];   /* container size (min, max); if csize[0] != csize[1]

+			     * then value of 0 makes the field ignored

+			     */

+    size_t	fsizec[2];  /* file size in container */

+    size_t	fsizer[2];  /* real file size */

+    int		encrypted;  /* file is encrypted; 2 == ignore */

+    void	*res1;	    /* reserved / format specific */

+    void	*res2;	    /* reserved / format specific */

+

+    struct cli_cdb *next;

+};

+

 struct cli_mtarget {

     cli_file_t target;

     const char *name;

@@ -152,4 +170,6 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, fmap_t *map, un

 int cli_checkfp(int fd, cli_ctx *ctx);

+int cli_matchmeta(cli_ctx *ctx, cli_file_t ftype, const char *fname, size_t fsizec, size_t fsizer, int encrypted, void *res1, void *res2);

+

 #endif

@@ -111,6 +111,7 @@ typedef struct {

     unsigned int scannedfiles;

     unsigned int found_possibly_unwanted;

     cli_file_t container_type; /* FIXME: to be made into a stack or array - see bb#1579 & bb#1293 */

+    size_t container_size;

     struct cli_dconf *dconf;

     fmap_t **fmap;

 } cli_ctx;

@@ -199,6 +200,9 @@ struct cl_engine {

     /* RAR metadata */

     struct cli_meta_node *rar_mlist;

+    /* Container metadata */

+    struct cli_cdb *cdb;

+

     /* Phishing .pdb and .wdb databases*/

     struct regex_matcher *whitelist_matcher;

     struct regex_matcher *domainlist_matcher;

@@ -1869,6 +1869,200 @@ static int cli_loadmd(FILE *fs, struct cl_engine *engine, unsigned int *signo, i

     return CL_SUCCESS;

 }

+/*    0		1	     2		3	       4	       5		 6	     7	      8     9    10     11

+ * VirusName:ContainerType:FileType:FileNameREGEX:ContainerSize:FileSizeInContainer:FileSizeReal:IsEncrypted:Res1:Res2[:MinFL[:MaxFL]]

+ */

+#define CDB_TOKENS 12

+static int cli_loadcdb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio)

+{

+	const char *tokens[MD_TOKENS + 1];

+	char buffer[FILEBUFF], *buffer_cpy;

+	unsigned int line = 0, sigs = 0, tokens_count, n0, n1;

+	int ret = CL_SUCCESS;

+	struct cli_cdb *new;

+

+

+    if(engine->ignored)

+	if(!(buffer_cpy = cli_malloc(FILEBUFF)))

+	    return CL_EMEM;

+

+    while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

+	line++;

+	if(buffer[0] == '#')

+	    continue;

+

+	cli_chomp(buffer);

+	if(engine->ignored)

+	    strcpy(buffer_cpy, buffer);

+

+	tokens_count = cli_strtokenize(buffer, ':', CDB_TOKENS + 1, tokens);

+	if(tokens_count > CDB_TOKENS) {

+	    ret = CL_EMALFDB;

+	    break;

+	}

+

+	if(tokens_count > 10) { /* min version */

+	    if(!cli_isnumber(tokens[10])) {

+		ret = CL_EMALFDB;

+		break;

+	    }

+	    if((unsigned int) atoi(tokens[10]) > cl_retflevel()) {

+		cli_dbgmsg("cli_loadcdb: Container signature for %s not loaded (required f-level: %u)\n", tokens[0], atoi(tokens[10]));

+		continue;

+	    }

+	    if(tokens_count == 12) { /* max version */

+		if(!cli_isnumber(tokens[11])) {

+		    ret = CL_EMALFDB;

+		    break;

+		}

+		if((unsigned int) atoi(tokens[11]) < cl_retflevel())

+		    continue;

+	    }

+	}

+

+	new = (struct cli_cdb *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_cdb));

+	if(!new) {

+	    ret = CL_EMEM;

+	    break;

+	}

+

+	new->virname = cli_mpool_virname(engine->mempool, (char *)tokens[0], options & CL_DB_OFFICIAL);

+	if(!new->virname) {

+	    mpool_free(engine->mempool, new);

+	    ret = CL_EMEM;

+	    break;

+	}

+

+	if(engine->ignored && cli_chkign(engine->ignored, new->virname, buffer/*_cpy*/)) {

+	    mpool_free(engine->mempool, new->virname);

+	    mpool_free(engine->mempool, new);

+	    continue;

+	}

+

+	if(!strcmp(tokens[1], "*")) {

+	    new->ctype = CL_TYPE_ANY;

+	} else if((new->ctype = cli_ftcode(tokens[1])) == CL_TYPE_ERROR) {

+	    cli_dbgmsg("cli_cdb: Unknown container type %s in signature for %s, skipping\n", tokens[1], tokens[0]);

+	    mpool_free(engine->mempool, new->virname);

+	    mpool_free(engine->mempool, new);

+	    continue;

+	}

+

+	if(!strcmp(tokens[2], "*")) {

+	    new->ftype = CL_TYPE_ANY;

+	} else if((new->ftype = cli_ftcode(tokens[2])) == CL_TYPE_ERROR) {

+	    cli_dbgmsg("cli_cdb: Unknown file type %s in signature for %s, skipping\n", tokens[2], tokens[0]);

+	    mpool_free(engine->mempool, new->virname);

+	    mpool_free(engine->mempool, new);

+	    continue;

+	}

+

+	if(strcmp(tokens[3], "*") && cli_regcomp(&new->name, tokens[3], REG_EXTENDED | REG_NOSUB)) {

+	    cli_errmsg("cli_cdb: Can't compile regular expression %s in signature for %s\n", tokens[3], tokens[0]);

+	    mpool_free(engine->mempool, new->virname);

+	    mpool_free(engine->mempool, new);

+	    ret = CL_EMEM;

+	    break;

+	}

+

+#define CDBRANGE(token_str, dest)					    \

+	if(strcmp(token_str, "*")) {					    \

+	    if(strchr(token_str, '-')) {				    \

+		if(sscanf(token_str, "%u-%u", &n0, &n1) != 2) {		    \

+		    ret = CL_EMALFDB;					    \

+		} else {						    \

+		    dest[0] = n0;					    \

+		    dest[1] = n1;					    \

+		}							    \

+	    } else {							    \

+		if(!cli_isnumber(token_str))				    \

+		    ret = CL_EMALFDB;					    \

+		else							    \

+		    dest[0] = dest[1] = atoi(token_str);		    \

+	    }								    \

+	    if(ret != CL_SUCCESS) {					    \

+		cli_errmsg("cli_cdb: Invalid value %s in signature for %s\n",\

+		    token_str, tokens[0]);				    \

+		if(new->name.re_magic)					    \

+		    cli_regfree(&new->name);				    \

+		mpool_free(engine->mempool, new->virname);		    \

+		mpool_free(engine->mempool, new);			    \

+		ret = CL_EMEM;						    \

+		break;							    \

+	    }								    \

+	} else {							    \

+	    dest[0] = dest[1] = CLI_OFF_ANY;				    \

+	}

+

+	CDBRANGE(tokens[4], new->csize);

+	CDBRANGE(tokens[5], new->fsizec);

+	CDBRANGE(tokens[6], new->fsizer);

+

+	if(!strcmp(tokens[7], "*")) {

+	    new->encrypted = 2;

+	} else {

+	    if(strcmp(tokens[7], "0") && strcmp(tokens[7], "1")) {

+		cli_errmsg("cli_cdb: Invalid encryption flag value in signature for %s\n", tokens[0]);

+		if(new->name.re_magic)

+		    cli_regfree(&new->name);

+		mpool_free(engine->mempool, new->virname);

+		mpool_free(engine->mempool, new);

+		ret = CL_EMEM;

+		break;

+	    }

+	    new->encrypted = *tokens[7] - 0x30;

+	}

+

+	if(strcmp(tokens[8], "*")) {

+	    new->res1 = cli_mpool_strdup(engine->mempool, tokens[8]);

+	    if(!new->res1) {

+		cli_errmsg("cli_cdb: Can't allocate memory for res1 in signature for %s\n", tokens[0]);

+		if(new->name.re_magic)

+		    cli_regfree(&new->name);

+		mpool_free(engine->mempool, new->virname);

+		mpool_free(engine->mempool, new);

+		ret = CL_EMEM;

+		break;

+	    }

+	}

+

+	if(strcmp(tokens[9], "*")) {

+	    new->res2 = cli_mpool_strdup(engine->mempool, tokens[9]);

+	    if(!new->res2) {

+		cli_errmsg("cli_cdb: Can't allocate memory for res2 in signature for %s\n", tokens[0]);

+		if(new->name.re_magic)

+		    cli_regfree(&new->name);

+		mpool_free(engine->mempool, new->res1);

+		mpool_free(engine->mempool, new->virname);

+		mpool_free(engine->mempool, new);

+		ret = CL_EMEM;

+		break;

+	    }

+	}

+

+	new->next = engine->cdb;

+	engine->cdb = new;

+	sigs++;

+    }

+    if(engine->ignored)

+	free(buffer_cpy);

+

+    if(!line) {

+	cli_errmsg("Empty database file\n");

+	return CL_EMALFDB;

+    }

+

+    if(ret) {

+	cli_errmsg("Problem parsing database at line %u\n", line);

+	return ret;

+    }

+

+    if(signo)

+	*signo += sigs;

+

+    return CL_SUCCESS;

+}

+

 static int cli_loaddbdir(const char *dirname, struct cl_engine *engine, unsigned int *signo, unsigned int options);

 int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio)

@@ -1980,6 +2174,9 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo

     } else if(cli_strbcasestr(dbname, ".idb")) {

     	ret = cli_loadidb(fs, engine, signo, options, dbio);

+    } else if(cli_strbcasestr(dbname, ".cdb")) {

+    	ret = cli_loadcdb(fs, engine, signo, options, dbio);

+

     } else {

 	cli_dbgmsg("cli_load: unknown extension - assuming old database format\n");

 	ret = cli_loaddb(fs, engine, signo, options, dbio, dbname);

@@ -2494,6 +2691,17 @@ int cl_engine_free(struct cl_engine *engine)

 	mpool_free(engine->mempool, metah);

     }

+    while(engine->cdb) {

+	struct cli_cdb *pt = engine->cdb;

+	engine->cdb = pt->next;

+	if(pt->name.re_magic)

+	    cli_regfree(&pt->name);

+	mpool_free(engine->mempool, pt->res2);

+	mpool_free(engine->mempool, pt->res1);

+	mpool_free(engine->mempool, pt->virname);

+	mpool_free(engine->mempool, pt);

+    }

+

     if(engine->dconf->bytecode & BYTECODE_ENGINE_MASK) {

 	unsigned i;

 	if (engine->bcs.all_bcs)

@@ -52,6 +52,7 @@

 	cli_strbcasestr(ext, ".cfg")   ||	\

 	cli_strbcasestr(ext, ".cvd")   ||	\

 	cli_strbcasestr(ext, ".cld")   ||	\

+	cli_strbcasestr(ext, ".cdb")   ||	\

 	cli_strbcasestr(ext, ".idb")		\

     )

@@ -978,7 +978,6 @@ static int cli_scanscript(cli_ctx *ctx)

 	unsigned char *buff;

 	unsigned char* normalized;

 	struct text_norm_state state;

-	struct stat sb;

 	char *tmpname = NULL;

 	int ofd = -1, ret;

 	const struct cli_matcher *troot = ctx->engine->root[7];

@@ -1529,9 +1528,7 @@ static int cli_scanmail(int desc, cli_ctx *ctx)

 	return ret;

     }

-    ctx->container_type = CL_TYPE_MAIL;

     ret = cli_scandir(dir, ctx);

-    ctx->container_type = 0;

     if(!ctx->engine->keeptmp)

 	cli_rmdirs(dir);

@@ -1839,7 +1836,8 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	cli_file_t type, dettype = 0;

 	struct stat sb;

 	uint8_t typercg = 1;

-	cli_file_t current_container = ctx->container_type; /* TODO: container tracking code TBD - bb#1293 */

+	cli_file_t current_container_type = ctx->container_type; /* TODO: container tracking code TBD - bb#1293 */

+	size_t current_container_size = ctx->container_size;

     if(ctx->engine->maxreclevel && ctx->recursion > ctx->engine->maxreclevel) {

         cli_dbgmsg("cli_magic_scandesc: Archive recursion limit exceeded (%u, max: %u)\n", ctx->recursion, ctx->engine->maxreclevel);

@@ -1906,18 +1904,21 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	lseek(desc, 0, SEEK_SET); /* FIXMEFMAP: remove ? */

     }

-    ctx->container_type = 0;

     ctx->recursion++;

     switch(type) {

 	case CL_TYPE_IGNORED:

 	    break;

 	case CL_TYPE_RAR:

+	    ctx->container_type = CL_TYPE_RAR;

+	    ctx->container_size = sb.st_size;

 	    if(have_rar && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR))

 		ret = cli_scanrar(desc, ctx, 0, NULL);

 	    break;

 	case CL_TYPE_ZIP:

+	    ctx->container_type = CL_TYPE_ZIP;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP))

 		ret = cli_unzip(ctx);

 	    break;

@@ -1931,17 +1932,24 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BZ))

 		ret = cli_scanbzip(desc, ctx);

 	    break;

+

 	case CL_TYPE_ARJ:

+	    ctx->container_type = CL_TYPE_ARJ;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ))

 		ret = cli_scanarj(desc, ctx, 0, NULL);

 	    break;

         case CL_TYPE_NULSFT:

-	  if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS))

+	    ctx->container_type = CL_TYPE_NULSFT;

+	    ctx->container_size = sb.st_size;

+	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS))

 		ret = cli_scannulsft(desc, ctx, 0);

 	    break;

         case CL_TYPE_AUTOIT:

+	    ctx->container_type = CL_TYPE_AUTOIT;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_AUTOIT))

 		ret = cli_scanautoit(desc, ctx, 23);

 	    break;

@@ -1952,6 +1960,8 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    break;

 	case CL_TYPE_MSCAB:

+	    ctx->container_type = CL_TYPE_MSCAB;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB))

 		ret = cli_scanmscab(desc, ctx, 0);

 	    break;

@@ -1972,11 +1982,15 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    break;

 	case CL_TYPE_RTF:

+	    ctx->container_type = CL_TYPE_RTF;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_DOC & DOC_CONF_RTF))

 		ret = cli_scanrtf(desc, ctx);

 	    break;

 	case CL_TYPE_MAIL:

+	    ctx->container_type = CL_TYPE_MAIL;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))

 		ret = cli_scanmail(desc, ctx);

 	    break;

@@ -1992,46 +2006,64 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    break;

 	case CL_TYPE_MSCHM:

+	    ctx->container_type = CL_TYPE_MSCHM;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CHM))

 		ret = cli_scanmschm(desc, ctx);

 	    break;

 	case CL_TYPE_MSOLE2:

+	    ctx->container_type = CL_TYPE_MSOLE2;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2))

 		ret = cli_scanole2(ctx);

 	    break;

 	case CL_TYPE_7Z:

+	    ctx->container_type = CL_TYPE_7Z;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_7Z))

 		ret = cli_7unz(desc, ctx);

 	    break;

 	case CL_TYPE_POSIX_TAR:

+	    ctx->container_type = CL_TYPE_POSIX_TAR;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))

 		ret = cli_scantar(desc, ctx, 1);

 	    break;

 	case CL_TYPE_OLD_TAR:

+	    ctx->container_type = CL_TYPE_OLD_TAR;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))

 		ret = cli_scantar(desc, ctx, 0);

 	    break;

 	case CL_TYPE_CPIO_OLD:

+	    ctx->container_type = CL_TYPE_CPIO_OLD;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))

 		ret = cli_scancpio_old(desc, ctx);

 	    break;

 	case CL_TYPE_CPIO_ODC:

+	    ctx->container_type = CL_TYPE_CPIO_ODC;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))

 		ret = cli_scancpio_odc(desc, ctx);

 	    break;

 	case CL_TYPE_CPIO_NEWC:

+	    ctx->container_type = CL_TYPE_CPIO_NEWC;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))

 		ret = cli_scancpio_newc(desc, ctx, 0);

 	    break;

 	case CL_TYPE_CPIO_CRC:

+	    ctx->container_type = CL_TYPE_CPIO_CRC;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))

 		ret = cli_scancpio_newc(desc, ctx, 1);

 	    break;

@@ -2057,6 +2089,8 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    break;

         case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */

+	    ctx->container_type = CL_TYPE_PDF;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_PDF && (DCONF_DOC & DOC_CONF_PDF))

 		ret = cli_scanpdf(ctx, 0);

 	    break;

@@ -2082,6 +2116,8 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    break;

 	case CL_TYPE_SIS:

+	    ctx->container_type = CL_TYPE_SIS;

+	    ctx->container_size = sb.st_size;

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SIS))

 		ret = cli_scansis(desc, ctx);

 	    break;

@@ -2103,7 +2139,8 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    break;

     }

     ctx->recursion--;

-    ctx->container_type = current_container;

+    ctx->container_type = current_container_type;

+    ctx->container_size = current_container_size;

     if(ret == CL_VIRUS) {

 	ret = cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;

@@ -2184,7 +2221,8 @@ int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, cons

     ctx.scanned = scanned;

     ctx.options = scanoptions;

     ctx.found_possibly_unwanted = 0;

-    ctx.container_type = 0;

+    ctx.container_type = CL_TYPE_ANY;

+    ctx.container_size = 0;

     ctx.dconf = (struct cli_dconf *) engine->dconf;

     ctx.fmap = cli_calloc(sizeof(fmap_t *), ctx.engine->maxreclevel + 1);

     if(!ctx.fmap)