Browse code
fix buffer overflow
| ... | ... |
@@ -1,3 +1,8 @@ |
| 1 |
+Sun Apr 15 21:14:06 CEST 2007 (tk) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav/cab.c: fix buffer overflow, reported through iDefense |
|
| 4 |
+ Vulnerability Contributor Program (CVE-2007-1997) |
|
| 5 |
+ |
|
| 1 | 6 |
Thu Apr 12 13:27:11 BST 2007 (njh) |
| 2 | 7 |
---------------------------------- |
| 3 | 8 |
* libclamav/pdf.c: Improved handling of very small files |
| ... | ... |
@@ -550,10 +550,16 @@ static int cab_unstore(struct cab_file *file, int bytes, uint8_t wflag) |
| 550 | 550 |
unsigned char buff[4096]; |
| 551 | 551 |
|
| 552 | 552 |
|
| 553 |
+ if(bytes < 0) {
|
|
| 554 |
+ cli_warnmsg("cab_unstore: bytes < 0\n");
|
|
| 555 |
+ return CL_EFORMAT; |
|
| 556 |
+ } |
|
| 557 |
+ |
|
| 553 | 558 |
todo = bytes; |
| 559 |
+ |
|
| 554 | 560 |
while(1) {
|
| 555 | 561 |
|
| 556 |
- if(todo <= (int) sizeof(buff)) {
|
|
| 562 |
+ if((unsigned int) todo <= sizeof(buff)) {
|
|
| 557 | 563 |
if(cab_read(file, buff, todo) == -1) {
|
| 558 | 564 |
cli_dbgmsg("cab_unstore: cab_read failed for descriptor %d\n", file->fd);
|
| 559 | 565 |
return CL_EIO; |
| ... | ... |
@@ -614,7 +620,7 @@ int cab_extract(struct cab_file *file, const char *name) |
| 614 | 614 |
|
| 615 | 615 |
switch(file->folder->cmethod & 0x000f) {
|
| 616 | 616 |
case 0x0000: /* STORE */ |
| 617 |
- if(file->offset) |
|
| 617 |
+ if(file->offset > 0) |
|
| 618 | 618 |
cab_unstore(file, file->offset, 0); |
| 619 | 619 |
|
| 620 | 620 |
ret = cab_unstore(file, file->length, 1); |
| ... | ... |
@@ -628,7 +634,7 @@ int cab_extract(struct cab_file *file, const char *name) |
| 628 | 628 |
close(file->ofd); |
| 629 | 629 |
return CL_EMSCAB; |
| 630 | 630 |
} |
| 631 |
- if(file->offset) {
|
|
| 631 |
+ if(file->offset > 0) {
|
|
| 632 | 632 |
((struct mszip_stream *) file->state->stream)->wflag = 0; |
| 633 | 633 |
mszip_decompress(file->state->stream, file->offset); |
| 634 | 634 |
((struct mszip_stream *) file->state->stream)->wflag = 1; |
| ... | ... |
@@ -645,7 +651,7 @@ int cab_extract(struct cab_file *file, const char *name) |
| 645 | 645 |
close(file->ofd); |
| 646 | 646 |
return CL_EMSCAB; |
| 647 | 647 |
} |
| 648 |
- if(file->offset) {
|
|
| 648 |
+ if(file->offset > 0) {
|
|
| 649 | 649 |
((struct qtm_stream *) file->state->stream)->wflag = 0; |
| 650 | 650 |
qtm_decompress(file->state->stream, file->offset); |
| 651 | 651 |
((struct qtm_stream *) file->state->stream)->wflag = 1; |
| ... | ... |
@@ -662,7 +668,7 @@ int cab_extract(struct cab_file *file, const char *name) |
| 662 | 662 |
close(file->ofd); |
| 663 | 663 |
return CL_EMSCAB; |
| 664 | 664 |
} |
| 665 |
- if(file->offset) {
|
|
| 665 |
+ if(file->offset > 0) {
|
|
| 666 | 666 |
((struct lzx_stream *) file->state->stream)->wflag = 0; |
| 667 | 667 |
lzx_decompress(file->state->stream, file->offset); |
| 668 | 668 |
((struct lzx_stream *) file->state->stream)->wflag = 1; |