@@ -1,3 +1,7 @@

+Thu Dec 13 23:34:22 CET 2007 (tk)

+---------------------------------

+  * libclamav: rewritten decompressor for mscompress - faster and more secure

+

 Thu Dec 13 21:47:53 CET 2007 (acab)

 -----------------------------------

   * libclamav: merge the post 0.92 code

@@ -1,15 +1,11 @@

 /*

- *  msexpand: Microsoft "compress.exe/expand.exe" compatible decompressor

- *

- *  Copyright (c) 2000 Martin Hinner <mhi@penguin.cz>

- *  Algorithm & data structures by M. Winterhoff <100326.2776@compuserve.com>

- *

- *  Corrected and adapted to ClamAV by Tomasz Kojm <tkojm@clamav.net>

+ *  Copyright (C) 2007 Sourcefire, Inc.

+ *  Author: Tomasz Kojm <tkojm@clamav.net>

+ *  Credits: Decompression scheme by M. Winterhoff

  *

  *  This program is free software; you can redistribute it and/or modify

- *  it under the terms of the GNU General Public License as published by

- *  the Free Software Foundation; either version 2, or (at your option)

- *  any later version.

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

  *

  *  This program is distributed in the hope that it will be useful,

  *  but WITHOUT ANY WARRANTY; without even the implied warranty of

@@ -23,124 +19,137 @@

  */

 #include <stdio.h>

-#include <stdlib.h>

-#ifdef	HAVE_UNISTD_H

-#include <unistd.h>

-#endif

-#include <string.h>

+#include <stddef.h>

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <fcntl.h>

-#if HAVE_CONFIG_H

-#include "clamav-config.h"

-#endif

+#include "clamav.h"

 #include "cltypes.h"

 #include "others.h"

 #include "msexpand.h"

-int cli_msexpand(FILE *in, FILE *out)

-{

-	int bits, ch, i, j, len, mask;

-	unsigned char *buffer;

-	uint32_t magic1, magic2, magic3, filesize;

-	uint16_t reserved;

-

+#ifndef HAVE_ATTRIB_PACKED

+#define __attribute__(x)

+#endif

-    if(fread(&magic1, sizeof(magic1), 1, in) != 1) {

-	return -1;

-    }

+#define EC32(x) le32_to_host(x)

+#define EC16(x) le16_to_host(x)

+

+#define MAGIC1	0x44445a53

+#define MAGIC2	0x3327f088

+#define MAGIC3	0x0041

+

+struct msexp_hdr {

+    uint32_t magic1;

+    uint32_t magic2;

+    uint16_t magic3;

+    uint32_t fsize;

+} __attribute((packed));

+

+#define BSIZE 4096

+#define RWBUFF 2048

+

+#define READBYTES				\

+    ret = cli_readn(fd, rbuff, RWBUFF);		\

+    if(ret == -1)				\

+	return CL_EIO;				\

+    if(!ret)					\

+	break;					\

+    rbytes = (unsigned int) ret;		\

+    r = 0;

+

+#define WRITEBYTES				\

+    ret = cli_writen(ofd, wbuff, w);		\

+    if(ret == -1 || (unsigned int) ret != w)	\

+	return CL_EIO;				\

+    wbytes += w;				\

+    if(wbytes >= hdr.fsize)			\

+	return CL_SUCCESS;			\

+    w = 0;

+

+

+int cli_msexpand(int fd, int ofd, cli_ctx *ctx)

+{

+	struct msexp_hdr hdr;

+	uint8_t i, mask, bits;

+	unsigned char buff[BSIZE], rbuff[RWBUFF], wbuff[RWBUFF];

+	unsigned int j = BSIZE - 16, k, l, r = 0, w = 0, rbytes = 0, wbytes = 0;

+	int ret;

-    if(magic1 == le32_to_host(0x44445A53L))

-    {

-	if(fread(&magic2, sizeof(magic2), 1, in) != 1) {

-	    return -1;

-	}

-	if(fread(&reserved, sizeof(reserved), 1, in) != 1) {

-	    return -1;

-	}

+    if(cli_readn(fd, &hdr, sizeof(hdr)) == -1)

+	return CL_EIO;

-	if(fread(&filesize, sizeof(filesize), 1, in) != 1) {

-	    return -1;

-	}

+    if(EC32(hdr.magic1) != MAGIC1 || EC32(hdr.magic2) != MAGIC2 || EC16(hdr.magic3) != MAGIC3) {

+	cli_dbgmsg("MSEXPAND: Not supported file format\n");

+	return CL_EFORMAT;

+    }

-	if(magic2 != le32_to_host(0x3327F088L))

-	{

-	    cli_warnmsg("msexpand: Not a MS-compressed file\n");

-	    return -1;

-	}

+    cli_dbgmsg("MSEXPAND: File size from header: %u\n", hdr.fsize);

-    } else

-    if(magic1 == le32_to_host(0x4A41574BL))

-    {

-	if(fread(&magic2, sizeof(magic2), 1, in) != 1) {

-	    return -1;

-	}

+    if(ctx->limits && ctx->limits->maxfilesize && (hdr.fsize > ctx->limits->maxfilesize)) {

+	cli_dbgmsg("MSEXPAND: Size exceeded (%u, max: %lu)\n", hdr.fsize, ctx->limits->maxfilesize);

+        if(BLOCKMAX) {

+	    *ctx->virname = "MSEXPAND.ExceededFileSize";

+            return CL_VIRUS;

+        }

+	hdr.fsize = ctx->limits->maxfilesize;

+	cli_dbgmsg("MSEXPAND: Only extracting first %u bytes\n", hdr.fsize); /* may extract up to 2kB more */

+    }

-	if(fread(&magic3, sizeof(magic3), 1, in) != 1) {

-	    return -1;

-	}

+    while(1) {

-	if(fread(&reserved, sizeof(reserved), 1, in) != 1) {

-	    return -1;

+	if(!rbytes || (r == rbytes)) {

+	    READBYTES;

 	}

-	if(magic2 != le32_to_host(0xD127F088L) || magic3 != le32_to_host(0x00120003L))

-	{

-	    cli_warnmsg("msexpand: Not a MS-compressed file\n");

-	    return -1;

-	}

+	bits = rbuff[r]; r++;

-	cli_warnmsg("msexpand: unsupported version 6.22\n");

-	return -1;

+	mask = 1;

+	for(i = 0; i < 8; i++) {

+	    if(bits & mask) {

+		if(r == rbytes) {

+		    READBYTES;

+		}

-    } else {

-	cli_warnmsg("msexpand: Not a MS-compressed file\n");

-	return -1;

-    }

+		if(w == RWBUFF) {

+		    WRITEBYTES;

+		}

-    if((buffer = (unsigned char *) cli_calloc(4096, sizeof(char))) == NULL) {

-	cli_errmsg("msexpand: Can't allocate memory\n");

-	return -1;

-    }

+		wbuff[w] = buff[j] = rbuff[r];

+		r++; w++;

+		j++; j %= BSIZE;

+	    } else {

+		if(r == rbytes) {

+		    READBYTES;

+		}

+		k = rbuff[r]; r++;

-    i = 4096 - 16;

-

-    while (1) {

-	if((bits = fgetc(in)) == EOF)

-	    break;

-

-	for(mask = 0x01; mask & 0xFF; mask <<= 1) {

-	    if(!(bits & mask)) {

-		if((j = fgetc(in)) == EOF)

-		    break;

-		len = fgetc(in);

-		j += (len & 0xF0) << 4;

-		len = (len & 15) + 3;

-		while(len--) {

-		    buffer[i] = buffer[j];

-		    if(fwrite(&buffer[i], sizeof(unsigned char), 1, out) != 1) {

-			free(buffer);

-			return -1;

-		    }

-		    j++;

-		    j %= 4096;

-		    i++;

-		    i %= 4096;

+		if(r == rbytes) {

+		    READBYTES;

 		}

-	    } else {

-		if((ch = fgetc(in)) == EOF)

-		    break;

+		l = rbuff[r]; r++;

-		buffer[i] = ch;

-		if(fwrite(&buffer[i], sizeof(unsigned char), 1, out) != 1) {

-		    free(buffer);

-		    return -1;

+		k += (l & 0xf0) << 4;

+		l = (l & 0x0f) + 3;

+		while(l--) {

+		    if(w == RWBUFF) {

+			WRITEBYTES;

+		    }

+		    wbuff[w] = buff[j] = buff[k];

+		    w++;

+		    k++; k %= BSIZE;

+		    j++; j %= BSIZE;

 		}

-		i++;

-		i %= 4096;

 	    }

+	    mask *= 2;

 	}

     }

-    free(buffer);

-    return 0;

+    if(w) {

+	WRITEBYTES;

+    }

+

+    return CL_SUCCESS;

 }

@@ -1,10 +1,11 @@

 /*

- *  Copyright (C) 2004 Tomasz Kojm <tkojm@clamav.net>

+ *  Copyright (C) 2007 Sourcefire, Inc.

+ *  Author: Tomasz Kojm <tkojm@clamav.net>

+ *  Credits: Decompression scheme by M. Winterhoff

  *

  *  This program is free software; you can redistribute it and/or modify

- *  it under the terms of the GNU General Public License as published by

- *  the Free Software Foundation; either version 2 of the License, or

- *  (at your option) any later version.

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

  *

  *  This program is distributed in the hope that it will be useful,

  *  but WITHOUT ANY WARRANTY; without even the implied warranty of

@@ -20,8 +21,8 @@

 #ifndef __MSEXPAND_H

 #define __MSEXPAND_H

-#include <stdio.h>

+#include "others.h"

-int cli_msexpand(FILE *in, FILE *out);

+int cli_msexpand(int fd, int ofd, cli_ctx *ctx);

 #endif

@@ -652,71 +652,40 @@ static int cli_scanbzip(int desc, cli_ctx *ctx)

 }

 #endif

-/*

 static int cli_scanszdd(int desc, cli_ctx *ctx)

 {

-	int fd, ret = CL_CLEAN, dcpy;

-	FILE *tmp = NULL, *in;

+	int ofd, ret;

 	char *tmpname;

     cli_dbgmsg("in cli_scanszdd()\n");

-    if((dcpy = dup(desc)) == -1) {

-	cli_dbgmsg("SZDD: Can't duplicate descriptor %d\n", desc);

-	return CL_EIO;

-    }

-

-    if((in = fdopen(dcpy, "rb")) == NULL) {

-	cli_dbgmsg("SZDD: Can't open descriptor %d\n", desc);

-	close(dcpy);

-	return CL_EMSCOMP;

-    }

-

-    if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) {

-	cli_dbgmsg("SZDD: Can't generate temporary file.\n");

-	fclose(in);

-	return CL_ETMPFILE;

-    }

-

-    if(cli_msexpand(in, tmp) == -1) {

-	cli_dbgmsg("SZDD: msexpand failed.\n");

-	fclose(in);

-	fclose(tmp);

-	if(!cli_leavetemps_flag)

-	    unlink(tmpname);

-	free(tmpname);	

-	return CL_EMSCOMP;

+    if((ret = cli_gentempfd(NULL, &tmpname, &ofd))) {

+	cli_dbgmsg("MSEXPAND: Can't generate temporary file/descriptor\n");

+	return ret;

     }

-    fclose(in);

-    if(fflush(tmp)) {

-	cli_dbgmsg("SZDD: fflush() failed.\n");

-	fclose(tmp);

-	if(!cli_leavetemps_flag)

-	    unlink(tmpname);

-	free(tmpname);	

-	return CL_EFSYNC;

-    }

+    lseek(desc, 0, SEEK_SET);

+    ret = cli_msexpand(desc, ofd, ctx);

-    fd = fileno(tmp);

-    lseek(fd, 0, SEEK_SET);

-    if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS) {

-	cli_dbgmsg("SZDD: Infected with %s\n", *ctx->virname);

-	fclose(tmp);

+    if(ret != CL_SUCCESS) { /* CL_VIRUS or some error */

+	close(ofd);

 	if(!cli_leavetemps_flag)

 	    unlink(tmpname);

 	free(tmpname);	

-	return CL_VIRUS;

+	return ret;

     }

-    fclose(tmp);

+    cli_dbgmsg("MSEXPAND: Decompressed into %s\n", tmpname);

+    lseek(ofd, 0, SEEK_SET);

+    ret = cli_magic_scandesc(ofd, ctx);

+    close(ofd);

     if(!cli_leavetemps_flag)

 	unlink(tmpname);

     free(tmpname);	

+

     return ret;

 }

-*/

 static int cli_scanmscab(int desc, cli_ctx *ctx, off_t sfx_offset)

 {

@@ -1847,12 +1816,12 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_AUTOIT))

 		ret = cli_scanautoit(desc, ctx, 23);

 	    break;

-/*

+

 	case CL_TYPE_MSSZDD:

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SZDD))

 		ret = cli_scanszdd(desc, ctx);

 	    break;

-*/

+

 	case CL_TYPE_MSCAB:

 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB))

 		ret = cli_scanmscab(desc, ctx, 0);