@@ -1,3 +1,7 @@

+Mon Nov 14 21:22:26 CET 2011 (acab)

+-----------------------------------

+ * libclamav: add preliminary support for iso9660 image files

+

 Fri Nov  4 00:52:21 CET 2011 (acab)

 -----------------------------------

  * libclamav/pe.c: parse vinfo where varfileinfo occours before stringfileinfo

@@ -370,6 +370,8 @@ libclamav_la_SOURCES = \

 	jpeg.h \

 	png.c \

 	png.h \

+	iso9660.c \

+	iso9660.h \

 	arc4.c \

 	arc4.h

@@ -158,8 +158,8 @@ am__libclamav_la_SOURCES_DIST = clamav.h matcher-ac.c matcher-ac.h \

 	bytecode_api_decl.c bytecode_api.h bytecode_api_impl.h \

 	bytecode_hooks.h cache.c cache.h bytecode_detect.c \

 	bytecode_detect.h builtin_bytecodes.h events.c events.h swf.c \

-	swf.h jpeg.c jpeg.h png.c png.h arc4.c arc4.h bignum.c \

-	bignum_class.h

+	swf.h jpeg.c jpeg.h png.c png.h iso9660.c iso9660.h arc4.c \

+	arc4.h bignum.c bignum_class.h

 @LINK_TOMMATH_FALSE@am__objects_1 = libclamav_la-bignum.lo

 am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \

 	libclamav_la-matcher-bm.lo libclamav_la-matcher-hash.lo \

@@ -212,7 +212,7 @@ am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \

 	libclamav_la-bytecode_api_decl.lo libclamav_la-cache.lo \

 	libclamav_la-bytecode_detect.lo libclamav_la-events.lo \

 	libclamav_la-swf.lo libclamav_la-jpeg.lo libclamav_la-png.lo \

-	libclamav_la-arc4.lo $(am__objects_1)

+	libclamav_la-iso9660.lo libclamav_la-arc4.lo $(am__objects_1)

 libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS)

 AM_V_lt = $(am__v_lt_$(V))

 am__v_lt_ = $(am__v_lt_$(AM_DEFAULT_VERBOSITY))

@@ -671,7 +671,8 @@ libclamav_la_SOURCES = clamav.h matcher-ac.c matcher-ac.h matcher-bm.c \

 	bytecode_api_decl.c bytecode_api.h bytecode_api_impl.h \

 	bytecode_hooks.h cache.c cache.h bytecode_detect.c \

 	bytecode_detect.h builtin_bytecodes.h events.c events.h swf.c \

-	swf.h jpeg.c jpeg.h png.c png.h arc4.c arc4.h $(am__append_7)

+	swf.h jpeg.c jpeg.h png.c png.h iso9660.c iso9660.h arc4.c \

+	arc4.h $(am__append_7)

 noinst_LTLIBRARIES = libclamav_internal_utils.la libclamav_internal_utils_nothreads.la libclamav_nocxx.la

 COMMON_CLEANFILES = version.h version.h.tmp *.gcda *.gcno

 @MAINTAINER_MODE_TRUE@BUILT_SOURCES = jsparse/generated/operators.h jsparse/generated/keywords.h jsparse-keywords.gperf

@@ -840,6 +841,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-inflate64.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-is_tar.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-ishield.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-iso9660.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-jpeg.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-js-norm.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-line.Plo@am__quote@

@@ -1763,6 +1765,14 @@ libclamav_la-png.lo: png.c

 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

 @am__fastdepCC_FALSE@	$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-png.lo `test -f 'png.c' || echo '$(srcdir)/'`png.c

+libclamav_la-iso9660.lo: iso9660.c

+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-iso9660.lo -MD -MP -MF $(DEPDIR)/libclamav_la-iso9660.Tpo -c -o libclamav_la-iso9660.lo `test -f 'iso9660.c' || echo '$(srcdir)/'`iso9660.c

+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-iso9660.Tpo $(DEPDIR)/libclamav_la-iso9660.Plo

+@am__fastdepCC_FALSE@	$(AM_V_CC) @AM_BACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='iso9660.c' object='libclamav_la-iso9660.lo' libtool=yes @AMDEPBACKSLASH@

+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@

+@am__fastdepCC_FALSE@	$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-iso9660.lo `test -f 'iso9660.c' || echo '$(srcdir)/'`iso9660.c

+

 libclamav_la-arc4.lo: arc4.c

 @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-arc4.lo -MD -MP -MF $(DEPDIR)/libclamav_la-arc4.Tpo -c -o libclamav_la-arc4.lo `test -f 'arc4.c' || echo '$(srcdir)/'`arc4.c

 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-arc4.Tpo $(DEPDIR)/libclamav_la-arc4.Plo

@@ -92,6 +92,7 @@ static struct dconf_module modules[] = {

     { "ARCHIVE",    "AUTOIT",	    ARCH_CONF_AUTOIT,	    1 },

     { "ARCHIVE",    "ISHIELD",	    ARCH_CONF_ISHIELD,	    1 },

     { "ARCHIVE",    "7zip",	    ARCH_CONF_7Z,	    1 },

+    { "ARCHIVE",    "ISO9660",	    ARCH_CONF_ISO9660,	    1 },

     { "DOCUMENT",   "HTML",	    DOC_CONF_HTML,	    1 },

     { "DOCUMENT",   "RTF",	    DOC_CONF_RTF,	    1 },

@@ -78,6 +78,7 @@ struct cli_dconf {

 #define ARCH_CONF_CPIO	    0x4000

 #define ARCH_CONF_ISHIELD   0x8000

 #define ARCH_CONF_7Z        0x10000

+#define ARCH_CONF_ISO9660   0x20000

 /* Document flags */

 #define DOC_CONF_HTML		0x1

@@ -97,6 +97,7 @@ static const struct ftmap_s {

     { "CL_TYPE_ISHIELD_MSI",	CL_TYPE_ISHIELD_MSI	},

     { "CL_TYPE_7Z",		CL_TYPE_7Z		},

     { "CL_TYPE_SWF",		CL_TYPE_SWF		},

+    { "CL_TYPE_ISO9660",	CL_TYPE_ISO9660		},

     { NULL,			CL_TYPE_IGNORED		}

 };

@@ -85,6 +85,7 @@ typedef enum {

     CL_TYPE_NULSFT, /* on the fly */

     CL_TYPE_AUTOIT,

     CL_TYPE_ISHIELD_MSI,

+    CL_TYPE_ISO9660,

     CL_TYPE_IGNORED /* please don't add anything below */

 } cli_file_t;

@@ -165,6 +165,7 @@ static const char *ftypes_int[] = {

   "0:0:53514c69746520666f726d6174203300:SQLite database:CL_TYPE_ANY:CL_TYPE_IGNORED",

   "0:0:d9d505f920a163d7:SQLite journal:CL_TYPE_ANY:CL_TYPE_IGNORED",

   "0:0:ffd9ffd8:JPEG (bad header):CL_TYPE_ANY:CL_TYPE_GRAPHICS:70",

+  "1:*:014344303031{2043-2443}4344303031:ISO9660:CL_TYPE_ANY:CL_TYPE_ISO9660:71",

   NULL

 };

new file mode 100644

@@ -0,0 +1,319 @@

+/*

+ *  Copyright (C) 2011 Sourcefire, Inc.

+ *

+ *  Authors: aCaB <acab@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#include <string.h>

+#include "scanners.h"

+#include "iso9660.h"

+#include "fmap.h"

+#include "str.h"

+#include "hashtab.h"

+

+typedef struct {

+    cli_ctx *ctx;

+    size_t base_offset;

+    unsigned int blocksz;

+    unsigned int sectsz;

+    unsigned int fileno;

+    unsigned int joliet;

+    char buf[260];

+    struct cli_hashset dir_blocks;

+} iso9660_t;

+

+

+static void *needblock(const iso9660_t *iso, unsigned int block, int temp) {

+    cli_ctx *ctx = iso->ctx;

+    size_t loff;

+    unsigned int blocks_per_sect = (2048 / iso->blocksz);

+    if(block > (((*ctx->fmap)->len - iso->base_offset) / iso->sectsz) * blocks_per_sect)

+	return NULL; /* Block is out of file */

+    loff = (block / blocks_per_sect) * iso->sectsz;   /* logical sector */

+    loff += (block % blocks_per_sect) * iso->blocksz; /* logical block within the secotor */

+    if(temp)

+	return fmap_need_off_once(*ctx->fmap, iso->base_offset + loff, iso->blocksz);

+    return fmap_need_off(*ctx->fmap, iso->base_offset + loff, iso->blocksz);

+}

+

+

+static int iso_scan_file(const iso9660_t *iso, unsigned int block, unsigned int len) {

+    char *tmpf;

+    int fd, ret;

+    if(cli_gentempfd(NULL, &tmpf, &fd) != CL_SUCCESS)

+	return CL_ETMPFILE;

+

+    cli_dbgmsg("iso_scan_file: dumping to %s\n", tmpf);

+    while(len) {

+	void *buf = needblock(iso, block, 1);

+	if(cli_writen(fd, buf, iso->blocksz) != iso->blocksz) {

+	    close(fd);

+	    ret = cli_unlink(tmpf);

+	    free(tmpf);

+	    if(ret)

+		return CL_EUNLINK;

+	    return CL_EWRITE;

+	}

+	len -= MIN(len, iso->blocksz);

+	block++;

+    }

+

+    ret = cli_magic_scandesc(fd, iso->ctx);

+

+    close(fd);

+

+    if(!iso->ctx->engine->keeptmp) {

+	if(cli_unlink(tmpf)) {

+	    free(tmpf);

+	    return CL_EUNLINK;

+	}

+    }

+

+    free(tmpf);

+    return ret;

+}

+

+static char *iso_string(iso9660_t *iso, void *src, unsigned int len) {

+    if(iso->joliet) {

+	char *utf8;

+	if(len > sizeof(iso->buf))

+	    len = sizeof(iso->buf) - 2;

+	memcpy(iso->buf, src, len);

+	iso->buf[len] = '\0';

+	iso->buf[len+1] = '\0';

+	utf8 = cli_utf16_to_utf8(iso->buf, len, UTF16_BE);

+	if(!utf8)

+	    utf8 = "";

+	strncpy(iso->buf, utf8, sizeof(iso->buf));

+	iso->buf[sizeof(iso->buf)-1] = '\0';

+	free(utf8);

+    } else {

+	memcpy(iso->buf, src, len);

+	iso->buf[len] = '\0';

+    }

+    return iso->buf;

+}

+

+

+static int iso_parse_dir(iso9660_t *iso, unsigned int block, unsigned int len) {

+    cli_ctx *ctx = iso->ctx;

+    int ret = CL_CLEAN;

+

+    if(len < 34) {

+	cli_dbgmsg("iso_parse_dir: Directory too small, skipping\n");

+	return CL_CLEAN;

+    }

+

+    for(; len && ret == CL_CLEAN; block++, len -= MIN(len, iso->blocksz)) {

+	uint8_t *dir, *dir_orig;

+	unsigned int dirsz;

+

+	if(iso->dir_blocks.count > 1024) {

+	    cli_dbgmsg("iso_parse_dir: Breaking out due to too many dir records\n");

+	    return CL_BREAK;

+	}

+

+	if(cli_hashset_contains(&iso->dir_blocks, block))

+	    continue;

+

+	if((ret = cli_hashset_addkey(&iso->dir_blocks, block)) != CL_CLEAN)

+	    return ret;

+

+	dir = dir_orig = needblock(iso, block, 0);

+	if(!dir)

+	    return CL_CLEAN;

+

+	for(dirsz = MIN(iso->blocksz, len);;) {

+	    unsigned int entrysz = *dir, fileoff, filesz;

+	    char *sep;

+

+	    if(!dirsz || !entrysz) /* continuing on next block, if any */

+		break;

+	    if(entrysz > dirsz) { /* record size overlaps onto the next sector, no point in looking in there */

+		cli_dbgmsg("iso_parse_dir: Directory entry overflow, breaking out %u %u\n", entrysz, dirsz);

+		len = 0;

+		break;

+	    }

+	    if(entrysz < 34) { /* this shouldn't happen really*/

+		cli_dbgmsg("iso_parse_dir: Too short directory entry, attempting to skip\n");

+		dirsz -= entrysz;

+		dir += entrysz;

+		continue;

+	    }

+	    filesz = dir[32];

+	    if(filesz == 1 && (dir[33] == 0 || dir[33] == 1)) { /* skip "." and ".." */

+		dirsz -= entrysz;

+		dir += entrysz;

+		continue;

+	    }

+

+	    if(filesz + 33 > dirsz) {

+		cli_dbgmsg("iso_parse_dir: Directory entry name overflow, clamping\n");

+		filesz = dirsz - 33;

+	    }

+	    iso_string(iso, &dir[33], filesz);

+	    sep = memchr(iso->buf, ';', filesz);

+	    if(sep)

+		*sep = '\0';

+	    else

+		iso->buf[filesz] = '\0';

+	    fileoff = cli_readint32(dir+2);

+	    fileoff += dir[1];

+	    filesz = cli_readint32(dir+10);

+

+	    cli_dbgmsg("iso_parse_dir: %s '%s': off %x - size %x - flags %x - unit size %x - gap size %x - volume %u\n", (dir[25] & 2) ? "Directory" : "File", iso->buf, fileoff, filesz, dir[25], dir[26], dir[27], cli_readint32(&dir[28]) & 0xffff);

+	    if(cli_matchmeta(ctx, iso->buf, filesz, filesz, 0, 0, 0, NULL) == CL_VIRUS) {

+		ret = CL_VIRUS;

+		break;

+	    }

+

+	    if(dir[26] || dir[27])

+		cli_dbgmsg("iso_parse_dir: Skipping interleaved file\n");

+	    else  {

+		/* TODO Handle multi-extent ? */

+		if(dir[25] & 2) {

+		    ret = iso_parse_dir(iso, fileoff, filesz);

+		} else {

+		    if(cli_checklimits("ISO9660", ctx, filesz, 0, 0) != CL_SUCCESS)

+			cli_dbgmsg("iso_parse_dir: Skipping overlimit file\n");

+		    else

+			ret = iso_scan_file(iso, fileoff, filesz);

+		}

+	    }

+	    dirsz -= entrysz;

+	    dir += entrysz;

+	}

+

+	fmap_unneed_ptr(*ctx->fmap, dir_orig, iso->blocksz);

+    }

+    return ret;

+}

+

+int cli_scaniso(cli_ctx *ctx, size_t offset) {

+    uint8_t *privol, *next;

+    iso9660_t iso;

+    int i;

+

+    if(offset < 32768)

+	return CL_CLEAN; /* Need 16 sectors at least 2048 bytes long */

+

+    privol = fmap_need_off(*ctx->fmap, offset, 2448 + 6);

+    if(!privol)

+	return CL_CLEAN;

+

+    next = (uint8_t *)cli_memstr((char *)privol + 2049, 2448 + 6 - 2049, "CD001", 5);

+    if(!next)

+	return CL_CLEAN; /* Find next volume descriptor */

+

+    iso.sectsz = (next - privol) - 1;

+    if(iso.sectsz * 16 > offset)

+	return CL_CLEAN; /* Need room for 16 system sectors */

+

+    iso.blocksz = cli_readint32(privol+128) & 0xffff;

+    if(iso.blocksz != 512 && iso.blocksz != 1024 && iso.blocksz != 2048)

+	return CL_CLEAN; /* Likely not a cdrom image */

+

+    iso.base_offset = offset - iso.sectsz * 16;

+    iso.joliet = 0;

+

+    for(i=16; i<32 ;i++) { /* scan for a joliet secondary volume descriptor */

+	next = fmap_need_off_once(*ctx->fmap, iso.base_offset + i * iso.sectsz, 2048);

+	if(!next)

+	    break; /* Out of disk */

+	if(*next == 0xff || memcmp(next+1, "CD001", 5))

+	    break; /* Not a volume descriptor */

+	if(*next != 2)

+	    continue; /* Not a secondary volume descriptor */

+	if(next[88] != 0x25 || next[89] != 0x2f)

+	    continue; /* Not a joliet descriptor */

+	if(next[156+26] || next[156+27])

+	    continue; /* Root is interleaved so we fallback to the primary descriptor */

+	switch(next[90]) {

+	case 0x40: /* Level 1 */

+	    iso.joliet = 1;

+	    break;

+	case 0x43: /* Level 2 */

+	    iso.joliet = 2;

+	    break;

+	case 0x45: /* Level 3 */

+	    iso.joliet = 3;

+	    break;

+	default: /* Not Joliet */

+	    continue;

+	}

+	break;

+    }

+

+    /* TODO rr, el torito, udf ? */

+

+    /* NOTE: freeing sector now. it is still safe to access as we don't alloc anymore */

+    fmap_unneed_off(*ctx->fmap, offset, 2448);

+    if(iso.joliet)

+	privol = next;

+

+    cli_dbgmsg("in cli_scaniso\n");

+    if(cli_debug_flag) {

+	cli_dbgmsg("cli_scaniso: Raw sector size: %u\n", iso.sectsz);

+	cli_dbgmsg("cli_scaniso: Block size: %u\n", iso.blocksz);

+

+	cli_dbgmsg("cli_scaniso: Volume descriptor version: %u\n", privol[6]);

+

+#define ISOSTRING(src, len) iso_string(&iso, (src), (len))

+	cli_dbgmsg("cli_scaniso: System: %s\n", ISOSTRING(privol + 8, 32));

+	cli_dbgmsg("cli_scaniso: Volume: %s\n", ISOSTRING(privol + 40, 32));

+

+	cli_dbgmsg("cli_scaniso: Volume space size: 0x%x blocks\n", cli_readint32(&privol[80]));

+	cli_dbgmsg("cli_scaniso: Volume %u of %u\n", cli_readint32(privol+124) & 0xffff, cli_readint32(privol+120) & 0xffff);

+

+	cli_dbgmsg("cli_scaniso: Volume Set: %s\n", ISOSTRING(privol + 190, 128));

+	cli_dbgmsg("cli_scaniso: Publisher: %s\n", ISOSTRING(privol + 318, 128));

+	cli_dbgmsg("cli_scaniso: Data Preparer: %s\n", ISOSTRING(privol + 446, 128));

+	cli_dbgmsg("cli_scaniso: Application: %s\n", ISOSTRING(privol + 574, 128));

+

+#define ISOTIME(s,n) cli_dbgmsg("cli_scaniso: "s": %c%c%c%c-%c%c-%c%c %c%c:%c%c:%c%c\n", privol[n],privol[n+1],privol[n+2],privol[n+3], privol[n+4],privol[n+5], privol[n+6],privol[n+7], privol[n+8],privol[n+9], privol[n+10],privol[n+11], privol[n+12],privol[n+13])

+	ISOTIME("Volume creation time",813);

+	ISOTIME("Volume modification time",830);

+	ISOTIME("Volume expiration time",847);

+	ISOTIME("Volume effective time",864);

+

+	cli_dbgmsg("cli_scaniso: Path table size: 0x%x\n", cli_readint32(privol+132) & 0xffff);

+	cli_dbgmsg("cli_scaniso: LSB Path Table: 0x%x\n", cli_readint32(privol+140));

+	cli_dbgmsg("cli_scaniso: Opt LSB Path Table: 0x%x\n", cli_readint32(privol+144));

+	cli_dbgmsg("cli_scaniso: MSB Path Table: 0x%x\n", cbswap32(cli_readint32(privol+148)));

+	cli_dbgmsg("cli_scaniso: Opt MSB Path Table: 0x%x\n", cbswap32(cli_readint32(privol+152)));

+	cli_dbgmsg("cli_scaniso: File Structure Version: %u\n", privol[881]);

+

+	if(iso.joliet)

+	    cli_dbgmsg("cli_scaniso: Joliet level %u\n", iso.joliet);

+    }

+

+    if(privol[156+26] || privol[156+27]) {

+	cli_dbgmsg("cli_scaniso: Interleaved root directory is not supported\n");

+	return CL_CLEAN;

+    }

+

+    iso.ctx = ctx;

+    i = cli_hashset_init(&iso.dir_blocks, 1024, 80);

+    if(i != CL_SUCCESS)

+	return i;

+    i = iso_parse_dir(&iso, cli_readint32(privol+156+2) + privol[156+1], cli_readint32(privol+156+10));

+    cli_hashset_destroy(&iso.dir_blocks);

+    if(i == CL_BREAK)

+	return CL_CLEAN;

+    return i;

+}

+

new file mode 100644

@@ -0,0 +1,28 @@

+/*

+ *  Copyright (C) 2011 Sourcefire, Inc.

+ *

+ *  Authors: aCaB <acab@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#ifndef __ISO9660_H

+#define __ISO9660_H

+

+#include "others.h"

+

+int cli_scaniso(cli_ctx *ctx, size_t offset);

+

+#endif

@@ -54,7 +54,7 @@

  * in re-enabling affected modules.

  */

-#define CL_FLEVEL 70

+#define CL_FLEVEL 71

 #define CL_FLEVEL_DCONF	CL_FLEVEL

 #define CL_FLEVEL_SIGTOOL CL_FLEVEL

@@ -93,6 +93,7 @@

 #include "swf.h"

 #include "jpeg.h"

 #include "png.h"

+#include "iso9660.h"

 #ifdef HAVE_BZLIB_H

 #include <bzlib.h>

@@ -1879,7 +1880,7 @@ static int cli_scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_

 {

 	int ret = CL_CLEAN, nret = CL_CLEAN;

 	struct cli_matched_type *ftoffset = NULL, *fpt;

-	uint32_t lastzip, lastrar;

+	uint32_t lastrar;

 	struct cli_exe_info peinfo;

 	unsigned int acmode = AC_SCAN_VIR, break_loop = 0;

 	fmap_t *map = *ctx->fmap;

@@ -1901,7 +1902,7 @@ static int cli_scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_

 	perf_nested_start(ctx, PERFT_RAWTYPENO, PERFT_SCAN);

 	ctx->recursion++;

 	if(nret != CL_VIRUS) {

-	    lastzip = lastrar = 0xdeadbeef;

+	    lastrar = 0xdeadbeef;

 	    fpt = ftoffset;

 	    while(fpt) {

 		if(fpt->offset) switch(fpt->type) {

@@ -1940,6 +1941,15 @@ static int cli_scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_

 			}

 			break;

+		    case CL_TYPE_ISO9660:

+			if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ISO9660)) {

+			    ctx->container_type = CL_TYPE_ISO9660;

+			    ctx->container_size = map->len - fpt->offset; /* not precise */

+			    cli_dbgmsg("ISO9660 signature found at %u\n", (unsigned int) fpt->offset);

+			    nret = cli_scaniso(ctx, fpt->offset);

+			}

+			break;

+

 		    case CL_TYPE_NULSFT:

 		        if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_NSIS) && fpt->offset > 4) {

 			    ctx->container_type = CL_TYPE_NULSFT;

@@ -592,3 +592,73 @@ int cli_hexnibbles(char *str, int len)

     }

     return 0;

 }

+

+char *cli_utf16_to_utf8(const char *utf16, size_t length, utf16_type type)

+{

+    /* utf8 -

+     * 4 bytes for utf16 high+low surrogate (4 bytes input)

+     * 3 bytes for utf16 otherwise (2 bytes input) */

+    size_t i, j;

+    size_t needed = length * 3/2 + 2;

+    char *s2;

+

+    if (length < 2)

+	return cli_strdup("");

+    if (length % 2) {

+	cli_warnmsg("utf16 length is not multiple of two: %lu\n", (long)length);

+	length--;

+    }

+

+    s2 = cli_malloc(needed);

+    if (!s2)

+	return NULL;

+

+    i = 0;

+

+    if((utf16[0] == '\xff' && utf16[1] == '\xfe') || (utf16[0] == '\xfe' && utf16[1] == '\xff')) {

+	i += 2;

+	if(type == UTF16_BOM)

+	    type = (utf16[0] == '\xff') ? UTF16_LE : UTF16_BE;

+    } else if(type == UTF16_BOM)

+	type = UTF16_BE;

+

+    for (j=0;i<length && j<needed;i += 2) {

+	uint16_t c = cli_readint16(&utf16[i]);

+	if(type == UTF16_BE)

+	    c = cbswap16(c);

+	if (c < 0x80) {

+	    s2[j++] = c;

+	} else if (c < 0x800) {

+	    s2[j] = 0xc0 | (c >>6);

+	    s2[j+1] = 0x80 | (c&0x3f);

+	    j += 2;

+	} else if (c < 0xd800 || c >= 0xe000) {

+	    s2[j] = 0xe0 | (c >> 12);

+	    s2[j+1] = 0x80 | ((c >> 6) & 0x3f);

+	    s2[j+2] = 0x80 | (c & 0x3f);

+	    j += 3;

+	} else if (c < 0xdc00 && i+3 < length) {

+	    uint16_t c2;

+	    /* UTF16 high+low surrogate */

+	    c = c - 0xd800 + 0x40;

+	    c2 = i+3 < length ? cli_readint16(&utf16[i+2]) : 0;

+	    c2 -= 0xdc00;

+	    s2[j] = 0xf0 | (c >> 8);

+	    s2[j+1] = 0x80 | ((c >> 2) & 0x3f);

+	    s2[j+2] = 0x80 | ((c&3) << 4) | (c2 >> 6);

+	    s2[j+3] = 0x80 | (c2 & 0x3f);

+	    j += 4;

+	    i += 2;

+	} else {

+	    cli_dbgmsg("UTF16 surrogate encountered at wrong pos\n");

+	    /* invalid char */

+	    s2[j++] = 0xef;

+	    s2[j++] = 0xbf;

+	    s2[j++] = 0xbd;

+	}

+    }

+    if (j >= needed)

+	j = needed-1;

+    s2[j] = '\0';

+    return s2;

+}

@@ -51,4 +51,11 @@ struct text_buffer;

 int  cli_textbuffer_append_normalize(struct text_buffer *buf, const char *str, size_t len);

 int cli_hexnibbles(char *str, int len);

+typedef enum {

+    UTF16_BE, /* Force big endian */

+    UTF16_LE, /* Force little endian */

+    UTF16_BOM /* Use BOM if available otherwise assume big endian */

+} utf16_type;

+char *cli_utf16_to_utf8(const char *utf16, size_t length, utf16_type type);

+

 #endif