@@ -67,7 +67,8 @@

  * strings SHOULD range from 9 to 12 bits.

  */

 #define BITS_MIN    9       /* start with 9 bits */

-#define BITS_MAX    13      /* max of 12 bit strings, +1 for robustness */

+#define BITS_VALID  12      /* max of 12 bit strings are valid, used to flag  */

+#define BITS_MAX    14      /* max of 12 bit strings, +2 for robustness */

 /* predefined codes */

 #define CODE_BASIC  256     /* last basic code + 1 */

 #define CODE_CLEAR  256     /* code to clear string table */

@@ -94,7 +95,6 @@ struct lzw_internal_state {

     uint16_t    nbits;      /* # of bits/code */

     long        nextdata;   /* next bits of i/o */

     long        nextbits;   /* # of valid bits in lzw_nextdata */

-    uint32_t    flags;      /* flags affecting decompression */

     /* decoding-specific state */

     long    dec_nbitsmask;  /* lzw_nbits 1 bits, right adjusted */

@@ -146,7 +146,7 @@ break;                                                    \

     oldcodep = state->dec_codetab + code;                               \

 }

-int lzwInit(lzw_streamp strm, uint32_t flags)

+int lzwInit(lzw_streamp strm)

 {

     struct lzw_internal_state *sp;

     hcode_t code;

@@ -161,7 +161,6 @@ int lzwInit(lzw_streamp strm, uint32_t flags)

     sp->nbits = BITS_MIN;

     sp->nextdata = 0;

     sp->nextbits = 0;

-    sp->flags = flags;

     /* dictionary setup */

     sp->dec_codetab = cli_calloc(CSIZE, sizeof(code_t));

@@ -200,19 +199,22 @@ int lzwInflate(lzw_streamp strm)

     uint8_t *wp;

     hcode_t code, free_code;

     int echg, ret = LZW_OK;

+    uint32_t flags;

     if (strm == NULL || strm->state == NULL || strm->next_out == NULL ||

         (strm->next_in == NULL && strm->avail_in != 0))

         return LZW_STREAM_ERROR;

     /* load state */

-    state = strm->state;

     to = strm->next_out;

     out = left = strm->avail_out;

     from = strm->next_in;

     in = have = strm->avail_in;

+    flags = strm->flags;

+    state = strm->state;

+

     nbits = state->nbits;

     nextdata = state->nextdata;

     nextbits = state->nextbits;

@@ -221,7 +223,7 @@ int lzwInflate(lzw_streamp strm)

     free_entp = state->dec_free_entp;

     maxcodep = state->dec_maxcodep;

-    echg = state->flags & LZW_FLAG_EARLYCHG;

+    echg = flags & LZW_FLAG_EARLYCHG;

     free_code = free_entp - &state->dec_codetab[0];

     if (oldcodep == &state->dec_codetab[CODE_EOI])

@@ -289,8 +291,11 @@ int lzwInflate(lzw_streamp strm)

         /* non-earlychange bit expansion */

         if (!echg && free_entp > maxcodep) {

-            if (++nbits > BITS_MAX)     /* should not happen */

-                nbits = BITS_MAX;

+            if (++nbits > BITS_VALID) {

+                flags |= LZW_FLAG_BIGDICT;

+                if (nbits > BITS_MAX)     /* should not happen */

+                    nbits = BITS_MAX;

+            }

             nbitsmask = MAXCODE(nbits);

             maxcodep = state->dec_codetab + nbitsmask-1;

         }

@@ -311,8 +316,11 @@ int lzwInflate(lzw_streamp strm)

         free_entp++;

         /* earlychange bit expansion */

         if (echg && free_entp > maxcodep) {

-            if (++nbits > BITS_MAX)     /* should not happen */

-                nbits = BITS_MAX;

+            if (++nbits > BITS_VALID) {

+                flags |= LZW_FLAG_BIGDICT;

+                if (nbits > BITS_MAX)     /* should not happen */

+                    nbits = BITS_MAX;

+            }

             nbitsmask = MAXCODE(nbits);

             maxcodep = state->dec_codetab + nbitsmask-1;

         }

@@ -366,6 +374,7 @@ inf_end:

     strm->avail_out = left;

     strm->next_in = from;

     strm->avail_in = have;

+    strm->flags = flags;

     state->nbits = (uint16_t)nbits;

     state->nextdata = nextdata;

@@ -49,6 +49,8 @@ typedef struct lzw_stream_s {

     unsigned total_out;

     char *msg;

+

+    uint32_t flags;

     struct lzw_internal_state *state;

 } lzw_stream;

@@ -62,10 +64,13 @@ typedef lzw_stream *lzw_streamp;

 #define LZW_BUF_ERROR    (-5)

 #define LZW_DICT_ERROR   (-7)

-#define LZW_NOFLAGS        0

-#define LZW_FLAG_EARLYCHG  1

+/* option flags */

+#define LZW_NOFLAGS        0x0

+#define LZW_FLAG_EARLYCHG  0x1

+/* state flags */

+#define LZW_FLAG_BIGDICT   0x100

-int lzwInit(lzw_streamp strm, uint32_t flags);

+int lzwInit(lzw_streamp strm);

 int lzwInflate(lzw_streamp strm);

 int lzwInflateEnd(lzw_streamp strm);

@@ -957,8 +957,10 @@ int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t flags)

                 if (dparams)

                     pdf_free_dict(dparams);

-                if (sum < 0)

-                    return rc;

+                if (sum < 0 || (rc == CL_VIRUS && !(pdf->ctx->options & CL_SCAN_ALLMATCHES))) {

+                    sum = 0; /* prevents post-filter scan */

+                    break;

+                }

                 cli_dbgmsg("-------------EXPERIMENTAL-------------\n");

@@ -117,7 +117,13 @@ off_t pdf_decodestream(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_d

     cli_dbgmsg("cli_pdf: detected %lu applied filters\n", (long unsigned)(obj->numfilters));

     rv = pdf_decodestream_internal(pdf, obj, params, token);

-    /* return is ignored so that the existing content is dumped to file */

+    /* return is generally ignored */

+    if (rc) {

+        if (rv == CL_VIRUS)

+            *rc = CL_VIRUS;

+        else

+            *rc = CL_SUCCESS;

+    }

     if (!cli_checklimits("pdf", pdf->ctx, token->length, 0, 0)) {

         if (cli_writen(fout, token->content, token->length) != token->length) {

@@ -131,15 +137,13 @@ off_t pdf_decodestream(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_d

     free(token->content);

     free(token);

-    if (rc)

-        *rc = CL_SUCCESS;

     return rv;

 }

 static int pdf_decodestream_internal(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdf_dict *params, struct pdf_token *token)

 {

     const char *filter = NULL;

-    int i, rc = CL_SUCCESS;

+    int i, vir = 0, rc = CL_SUCCESS;

     /*

      * if pdf is decryptable, scan for CRYPT filter

@@ -211,22 +215,26 @@ static int pdf_decodestream_internal(struct pdf_struct *pdf, struct pdf_obj *obj

         }

         if (rc != CL_SUCCESS) {

-            const char *reason;

-            switch (rc) {

-            case CL_VIRUS:

-                reason = "detection";

-                break;

-            case CL_BREAK:

-                reason = "break decoding";

-                break;

-            default:

-                reason = "error decoding";

+            if (rc == CL_VIRUS && pdf->ctx->options & CL_SCAN_ALLMATCHES)

+                vir = 1;

+            else {

+                const char *reason;

+                switch (rc) {

+                case CL_VIRUS:

+                    reason = "detection";

+                    break;

+                case CL_BREAK:

+                    reason = "break decoding";

+                    break;

+                default:

+                    reason = "error decoding";

+                    break;

+                }

+

+                cli_dbgmsg("cli_pdf: %s, stopping after %d (of %lu) filters\n",

+                           reason, i, (long unsigned)(obj->numfilters));

                 break;

             }

-

-            cli_dbgmsg("cli_pdf: %s, stopping after %d (of %lu) filters\n",

-                       reason, i, (long unsigned)(obj->numfilters));

-            break;

         }

         if (cl_engine_get_num(pdf->ctx->engine, CL_ENGINE_FORCETODISK, NULL) &&

@@ -237,6 +245,8 @@ static int pdf_decodestream_internal(struct pdf_struct *pdf, struct pdf_obj *obj

         }

     }

+    if (vir)

+        return CL_VIRUS;

     if (rc == CL_BREAK)

         return CL_SUCCESS;

     return rc;

@@ -786,8 +796,10 @@ static int filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct

     stream.avail_in = length;

     stream.next_out = decoded;

     stream.avail_out = BUFSIZ;

+    if (echg)

+        stream.flags |= LZW_FLAG_EARLYCHG;

-    lzwstat = lzwInit(&stream, echg ? LZW_FLAG_EARLYCHG : LZW_NOFLAGS);

+    lzwstat = lzwInit(&stream);

     if(lzwstat != Z_OK) {

         cli_warnmsg("cli_pdf: lzwInit failed\n");

         free(decoded);

@@ -811,7 +823,7 @@ static int filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct

             stream.next_out = (Bytef *)decoded;

             stream.avail_out = capacity;

-            lzwstat = lzwInit(&stream, echg ? LZW_FLAG_EARLYCHG : LZW_NOFLAGS);

+            lzwstat = lzwInit(&stream);

             if(lzwstat != Z_OK) {

                 cli_warnmsg("cli_pdf: lzwInit failed\n");

                 free(decoded);

@@ -897,5 +909,11 @@ static int filter_lzwdecode(struct pdf_struct *pdf, struct pdf_obj *obj, struct

         free(decoded);

     }

+    /* heuristic check */

+    if (stream.flags & LZW_FLAG_BIGDICT) {

+        cli_append_virus(pdf->ctx, "Heuristics.PDF.LZWInvalidDictionary");

+        rc = CL_VIRUS;

+    }

+

     return rc;

 }