git-svn: trunk@3019
Tomasz Kojm authored on 2007/04/16 05:09:09... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Sun Apr 15 21:14:06 CEST 2007 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/cab.c: fix buffer overflow, reported through iDefense |
|
4 |
+ Vulnerability Contributor Program (CVE-2007-1997) |
|
5 |
+ |
|
1 | 6 |
Thu Apr 12 13:27:11 BST 2007 (njh) |
2 | 7 |
---------------------------------- |
3 | 8 |
* libclamav/pdf.c: Improved handling of very small files |
... | ... |
@@ -550,10 +550,16 @@ static int cab_unstore(struct cab_file *file, int bytes, uint8_t wflag) |
550 | 550 |
unsigned char buff[4096]; |
551 | 551 |
|
552 | 552 |
|
553 |
+ if(bytes < 0) { |
|
554 |
+ cli_warnmsg("cab_unstore: bytes < 0\n"); |
|
555 |
+ return CL_EFORMAT; |
|
556 |
+ } |
|
557 |
+ |
|
553 | 558 |
todo = bytes; |
559 |
+ |
|
554 | 560 |
while(1) { |
555 | 561 |
|
556 |
- if(todo <= (int) sizeof(buff)) { |
|
562 |
+ if((unsigned int) todo <= sizeof(buff)) { |
|
557 | 563 |
if(cab_read(file, buff, todo) == -1) { |
558 | 564 |
cli_dbgmsg("cab_unstore: cab_read failed for descriptor %d\n", file->fd); |
559 | 565 |
return CL_EIO; |
... | ... |
@@ -614,7 +620,7 @@ int cab_extract(struct cab_file *file, const char *name) |
614 | 614 |
|
615 | 615 |
switch(file->folder->cmethod & 0x000f) { |
616 | 616 |
case 0x0000: /* STORE */ |
617 |
- if(file->offset) |
|
617 |
+ if(file->offset > 0) |
|
618 | 618 |
cab_unstore(file, file->offset, 0); |
619 | 619 |
|
620 | 620 |
ret = cab_unstore(file, file->length, 1); |
... | ... |
@@ -628,7 +634,7 @@ int cab_extract(struct cab_file *file, const char *name) |
628 | 628 |
close(file->ofd); |
629 | 629 |
return CL_EMSCAB; |
630 | 630 |
} |
631 |
- if(file->offset) { |
|
631 |
+ if(file->offset > 0) { |
|
632 | 632 |
((struct mszip_stream *) file->state->stream)->wflag = 0; |
633 | 633 |
mszip_decompress(file->state->stream, file->offset); |
634 | 634 |
((struct mszip_stream *) file->state->stream)->wflag = 1; |
... | ... |
@@ -645,7 +651,7 @@ int cab_extract(struct cab_file *file, const char *name) |
645 | 645 |
close(file->ofd); |
646 | 646 |
return CL_EMSCAB; |
647 | 647 |
} |
648 |
- if(file->offset) { |
|
648 |
+ if(file->offset > 0) { |
|
649 | 649 |
((struct qtm_stream *) file->state->stream)->wflag = 0; |
650 | 650 |
qtm_decompress(file->state->stream, file->offset); |
651 | 651 |
((struct qtm_stream *) file->state->stream)->wflag = 1; |
... | ... |
@@ -662,7 +668,7 @@ int cab_extract(struct cab_file *file, const char *name) |
662 | 662 |
close(file->ofd); |
663 | 663 |
return CL_EMSCAB; |
664 | 664 |
} |
665 |
- if(file->offset) { |
|
665 |
+ if(file->offset > 0) { |
|
666 | 666 |
((struct lzx_stream *) file->state->stream)->wflag = 0; |
667 | 667 |
lzx_decompress(file->state->stream, file->offset); |
668 | 668 |
((struct lzx_stream *) file->state->stream)->wflag = 1; |