@@ -1,3 +1,7 @@

+Fri Jan 26 00:36:13 CET 2007 (tk)

+---------------------------------

+  * libclamav: improve scanning of handcrafted zip archives

+

 Thu Jan 25 14:00:27 GMT 2007 (njh)

 ----------------------------------

   * libclamav:	Use BLOCKMAX (suggestion from TK)

@@ -226,7 +226,6 @@ static int cli_unrar_scanmetadata(int desc, rar_metadata_t *metadata, cli_ctx *c

 static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_check)

 {

 	int ret = CL_CLEAN;

-	unsigned int files = 0;

 	rar_metadata_t *metadata, *metadata_tmp;

 	char *dir;

 	rar_state_t rar_state;

@@ -312,11 +311,11 @@ static int cli_scanzip(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c

 	char *tmpname = NULL, *buff;

 	int fd, bytes, ret = CL_CLEAN;

 	unsigned long int size = 0;

-	unsigned int files = 0, encrypted;

+	unsigned int files = 0, encrypted, bfcnt;

 	struct stat source;

 	struct cli_meta_node *mdata;

 	int err;

-	uint8_t swarning = 0;

+	uint8_t swarning = 0, fail, success;

     cli_dbgmsg("in scanzip()\n");

@@ -483,65 +482,86 @@ static int cli_scanzip(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c

 	    }

 	}

-	/* generate temporary file and get its descriptor */

-	if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) {

-	    cli_dbgmsg("Zip: Can't generate tmpfile().\n");

-	    zip_file_close(zfp);

-	    ret = CL_ETMPFILE;

-	    break;

-	}

+	bfcnt = 0;

+	success = 0;

+	while(1) {

+	    fail = 0;

+

+	    /* generate temporary file and get its descriptor */

+	    if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) {

+		cli_dbgmsg("Zip: Can't generate tmpfile().\n");

+		ret = CL_ETMPFILE;

+		break;

+	    }

+

+	    size = 0;

+	    while((bytes = zip_file_read(zfp, buff, FILEBUFF)) > 0) {

+		size += bytes;

+		if(fwrite(buff, 1, bytes, tmp) != (size_t) bytes) {

+		    cli_dbgmsg("Zip: Can't write to file.\n");

+		    ret = CL_EIO;

+		    break;

+		}

+	    }

+

+	    if(!encrypted) {

+		if(size != zdirent.st_size) {

+		    cli_dbgmsg("Zip: Incorrectly decompressed (%d != %d)\n", size, zdirent.st_size);

+		    if(zfp->bf[0] == -1) {

+			ret = CL_EZIP;

+			break;

+		    } else {

+			fail = 1;

+		    }

+		} else {

+		    cli_dbgmsg("Zip: File decompressed to %s\n", tmpname);

+		    success = 1;

+		}

+	    }

+

+	    if(!fail) {

+		if(fflush(tmp) != 0) {

+		    cli_dbgmsg("Zip: fflush() failed\n");

+		    ret = CL_EFSYNC;

+		    break;

+		}

+

+		fd = fileno(tmp);

+

+		lseek(fd, 0, SEEK_SET);

+

+		if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {

+		    cli_dbgmsg("Zip: Infected with %s\n", *ctx->virname);

+		    ret = CL_VIRUS;

+		    break;

+		}

-	size = 0;

-	while((bytes = zip_file_read(zfp, buff, FILEBUFF)) > 0) {

-	    size += bytes;

-	    if(fwrite(buff, 1, bytes, tmp) != (size_t) bytes) {

-		cli_dbgmsg("Zip: Can't write to file.\n");

-		zip_file_close(zfp);

-		zip_dir_close(zdir);

+	    }

+

+	    if(tmp) {

 		fclose(tmp);

 		if(!cli_leavetemps_flag)

 		    unlink(tmpname);

 		free(tmpname);

-		free(buff);

-		return CL_EIO;

+		tmp = NULL;

 	    }

-	}

-

-	zip_file_close(zfp);

-	if(!encrypted) {

-	    if(size != zdirent.st_size) {

-		cli_dbgmsg("Zip: Incorrectly decompressed (%d != %d)\n", size, zdirent.st_size);

-		ret = CL_EZIP;

+	    if(zfp->bf[bfcnt] == -1)

 		break;

-	    } else {

-		cli_dbgmsg("Zip: File decompressed to %s\n", tmpname);

-	    }

+	    zfp->method = (uint16_t) zfp->bf[bfcnt];

+	    cli_dbgmsg("Zip: Brute force mode - checking compression method %u\n", zfp->method);

+	    bfcnt++;

 	}

+	zip_file_close(zfp);

-	if(fflush(tmp) != 0) {

-	    cli_dbgmsg("Zip: fflush() failed\n");

-	    ret = CL_EFSYNC;

-	    break;

+	if(!ret && !success) { /* brute-force decompression failed */

+	    cli_dbgmsg("Zip: All attempts to decompress file failed\n");

+	    ret = CL_EZIP;

 	}

-	fd = fileno(tmp);

-

-	lseek(fd, 0, SEEK_SET);

-	if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {

-	    cli_dbgmsg("Zip: Infected with %s\n", *ctx->virname);

-	    ret = CL_VIRUS;

+	if(ret) 

 	    break;

-	}

-

-	if(tmp) {

-	    fclose(tmp);

-	    if(!cli_leavetemps_flag)

-		unlink(tmpname);

-	    free(tmpname);

-	    tmp = NULL;

-	}

     }

     zip_dir_close(zdir);

@@ -176,7 +176,7 @@ int __zip_parse_root_directory(int fd, struct zip_disk_trailer *trailer, zip_dir

 	uint32_t u_rootsize = EC32(trailer->z_rootsize);  

 	uint32_t u_rootseek = EC32(trailer->z_rootseek) + start;

 	uint16_t u_extras, u_comment, u_namlen, u_flags;

-	uint8_t clone_entry;

+	unsigned int bfcnt;

 	char *pt;

@@ -185,6 +185,11 @@ int __zip_parse_root_directory(int fd, struct zip_disk_trailer *trailer, zip_dir

 	return CL_EIO;

     }

+    if(!u_entries) {

+	cli_errmsg("Unzip: __zip_parse_root_directory: File contains no entries\n");

+	return CL_EFORMAT;

+    }

+

     if(u_rootsize > (uint32_t) sb.st_size) {

 	cli_errmsg("Unzip: __zip_parse_root_directory: Incorrect root size\n");

 	return CL_EFORMAT;

@@ -197,7 +202,6 @@ int __zip_parse_root_directory(int fd, struct zip_disk_trailer *trailer, zip_dir

     hdr = hdr0;

     for(entries = u_entries, offset = 0; entries > 0; entries--) {

-	clone_entry = 0;

 	if(lseek(fd, u_rootseek + offset, SEEK_SET) < 0) {

 	    free(hdr0);

@@ -239,16 +243,20 @@ int __zip_parse_root_directory(int fd, struct zip_disk_trailer *trailer, zip_dir

         hdr->d_off   = EC32(d->z_off) + start;

         hdr->d_compr = EC16(d->z_compr);

+

+	bfcnt = 0;

 	if(!hdr->d_compr && hdr->d_csize != hdr->d_usize) {

 	    cli_warnmsg("Unzip: __zip_parse_root_directory: File claims to be stored but csize != usize\n");

-	    cli_dbgmsg("Unzip: __zip_parse_root_directory: Assuming method 'inflate'\n");

-	    hdr->d_compr = 8;

+	    cli_dbgmsg("Unzip: __zip_parse_root_directory: Also checking for method 'deflated'\n");

+	    hdr->d_bf[bfcnt] = ZIP_METHOD_DEFLATED;

+	    bfcnt++;

 	} else if(hdr->d_compr && hdr->d_csize == hdr->d_usize) {

 	    cli_dbgmsg("Unzip: __zip_parse_root_directory: File claims to be deflated but csize == usize\n");

-	    cli_dbgmsg("Unzip: __zip_parse_root_directory: Assuming method 'stored'\n");

-	    hdr->d_compr = 0;

-	    clone_entry = 1;

+	    cli_dbgmsg("Unzip: __zip_parse_root_directory: Also checking for method 'stored'\n");

+	    hdr->d_bf[bfcnt] = ZIP_METHOD_STORED;

+	    bfcnt++;

 	}

+	hdr->d_bf[bfcnt] = -1;

 	hdr->d_flags = u_flags;

@@ -280,18 +288,6 @@ int __zip_parse_root_directory(int fd, struct zip_disk_trailer *trailer, zip_dir

 	prev_hdr = hdr;

 	hdr = (zip_dir_hdr *) ((char *) hdr + hdr->d_reclen);

-

-	if(clone_entry) {

-	    hdr0 = (zip_dir_hdr *) cli_realloc(hdr0, u_rootsize + *p_reclen);

-	    if(!hdr0)

-		return CL_EMEM;

-	    memcpy((zip_dir_hdr *) hdr, (zip_dir_hdr *) prev_hdr, *p_reclen);

-	    hdr->d_compr = 8;

-	    if(u_namlen)

-		hdr->d_name[strlen(hdr->d_name) - 1]++;

-	    p_reclen = &hdr->d_reclen;

-	    hdr = (zip_dir_hdr *) ((char *) hdr + hdr->d_reclen);

-	}

     }

     if(p_reclen) {

@@ -561,6 +557,8 @@ zip_file *zip_file_open(zip_dir *dir, const char *name, int d_off)

             fp->usize = hdr->d_usize;

             fp->csize = hdr->d_csize;

+	    fp->bf = hdr->d_bf;

+

             ret = __zip_inflate_init(fp, hdr);

 	    if(ret) {

@@ -147,6 +147,7 @@ struct __zip_file

 {

     struct __zip_dir *dir; 

     uint16_t method;

+    int16_t *bf;

     size_t restlen;

     size_t crestlen;

     size_t usize;

@@ -164,6 +165,7 @@ struct __zip_dir_hdr

     uint16_t    d_reclen;       /* next dir_hdr structure offset */

     uint16_t    d_namlen;       /* explicit namelen of d_name */

     uint16_t    d_compr;        /* compression type */

+    int16_t	d_bf[2];	/* compression type/brute force */

     uint16_t	d_flags;	/* general purpose flags */

     char        d_name[1];      /* actual name of the entry */

 };