@@ -1,3 +1,9 @@

+Thu Mar 10 13:32:38 GMT 2005 (trog)

+-----------------------------------

+  * libclamav/special.c: Check Photoshop thumbnail images embedded in JPEG files.

+

+  * sigtool/vba.c: Add more Word6 tokens.

+

 Thu Mar 10 08:48:54 GMT 2005 (njh)

 ----------------------------------

   * clamav-milter:	--detect-forged-local-address no longer gives false

@@ -32,6 +32,27 @@

 #define FALSE (0)

 #define TRUE (1)

+/* NOTE: Photoshop stores data in BIG ENDIAN format, this is the opposite

+	to virtually everything else */

+#if WORDS_BIGENDIAN == 0

+static uint16_t special_endian_convert_16(uint16_t v)

+{

+        return ((v >> 8) + (v << 8));

+}

+#else

+#define special_endian_convert_16(v)       (v)

+#endif

+

+#if WORDS_BIGENDIAN == 0

+static uint32_t special_endian_convert_32(uint32_t v)

+{

+        return ((v >> 24) | ((v & 0x00FF0000) >> 8) |

+                ((v & 0x0000FF00) << 8) | (v << 24));

+}

+#else

+#define special_endian_convert_32(v)    (v)

+#endif

+

 int cli_check_mydoom_log(int desc, const char **virname)

 {

 	int32_t record[8], check;

@@ -69,6 +90,96 @@ int cli_check_mydoom_log(int desc, const char **virname)

     return retval;

 }

+static int jpeg_check_photoshop_8bim(int fd)

+{

+	unsigned char bim[5];

+	uint16_t id, nlength;

+	uint32_t size;

+	off_t offset;

+	int retval;

+

+	if (cli_readn(fd, bim, 4) != 4) {

+		cli_dbgmsg("read bim failed\n");

+		return -1;

+	}

+

+	if (memcmp(bim, "8BIM", 4) != 0) {

+		bim[4] = '\0';

+		cli_dbgmsg("missed 8bim: %s\n", bim);

+		return -1;

+	}

+

+	if (cli_readn(fd, &id, 2) != 2) {

+		return -1;

+	}

+	id = special_endian_convert_16(id);

+	cli_dbgmsg("ID: 0x%.4x\n", id);

+	if (cli_readn(fd, &nlength, 2) != 2) {

+		return -1;

+	}

+	nlength = special_endian_convert_16(nlength);

+	/* Seek past the name string */

+	if (nlength > 0) {

+		lseek(fd, nlength, SEEK_CUR);

+	}

+

+	if (cli_readn(fd, &size, 4) != 4) {

+		return -1;

+	}

+	size = special_endian_convert_32(size);

+	if (size == 0) {

+		return -1;

+	}

+	if ((size & 0x01) == 1) {

+		size++;

+	}

+	/* Is it a thumbnail image */

+	if ((id != 0x0409) && (id != 0x040c)) {

+		/* No - Seek past record */

+		lseek(fd, size, SEEK_CUR);

+		return 0;

+	}

+

+	cli_dbgmsg("found thumbnail\n");

+	/* Check for thumbmail image */

+	offset = lseek(fd, 0, SEEK_CUR);

+

+	/* Jump past header */

+	lseek(fd, 28, SEEK_CUR);

+

+	retval = cli_check_jpeg_exploit(fd);

+	if (retval == 1) {

+		cli_dbgmsg("Exploit found in thumbnail\n", retval);

+	}

+	lseek(fd, offset+size, SEEK_SET);

+

+	return retval;

+}

+

+static int jpeg_check_photoshop(int fd)

+{

+	int retval;

+	unsigned char buffer[14];

+

+	if (cli_readn(fd, buffer, 14) != 14) {

+		return 0;

+	}

+

+	if (memcmp(buffer, "Photoshop 3.0", 14) != 0) {

+		return 0;

+	}

+

+	cli_dbgmsg("Found Photoshop segment\n");

+	do {

+		retval = jpeg_check_photoshop_8bim(fd);

+	} while (retval == 0);

+

+	if (retval == -1) {

+		retval = 0;

+	}

+	return retval;

+}

+

 int cli_check_jpeg_exploit(int fd)

 {

 	unsigned char buffer[4];

@@ -85,6 +196,7 @@ int cli_check_jpeg_exploit(int fd)

 	if ((buffer[0] != 0xff) || (buffer[1] != 0xd8)) {

 		return 0;

 	}

+

 	for (;;) {

 		if ((retval=cli_readn(fd, buffer, 4)) != 4) {

 			return 0;

@@ -94,7 +206,7 @@ int cli_check_jpeg_exploit(int fd)

 			lseek(fd, -3, SEEK_CUR);

 			continue;

 		}

-		

+

 		if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) {

 			if (buffer[2] == 0x00) {

 				if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) {

@@ -109,12 +221,21 @@ int cli_check_jpeg_exploit(int fd)

 			/* End of Image marker */

 			return 0;

 		}

+

 		offset = ((unsigned int) buffer[2] << 8) + buffer[3];

 		if (offset < 2) {

 			return 1;

 		}

 		offset -= 2;

 		offset += lseek(fd, 0, SEEK_CUR);

+

+		if (buffer[1] == 0xed) {

+			/* Possible Photoshop file */

+			if ((retval=jpeg_check_photoshop(fd)) != 0) {

+				return retval;

+			}

+		}

+

 		if (lseek(fd, offset, SEEK_SET) != offset) {

 			return -1;

 		}

@@ -180,7 +180,9 @@ void output_token67 (uint16_t token)

 	{0x0009, "HelpAbout"},

 	{0x000c, "ShrinkFont"},

 	{0x0016, "NextWindow"},

+	{0x0017, "PrevWindow"},

 	{0x001c, "DeleteWord"},

+	{0x001e, "EditClear"},

 	{0x0045, "GoBack"},

 	{0x0046, "SaveTemplate"},

 	{0x0048, "Cancel"},

@@ -205,6 +207,7 @@ void output_token67 (uint16_t token)

 	{0x007b, "EditAutoText"},

 	{0x0093, "ViewPage"},

 	{0x0098, "ToolsCustomize"},

+	{0x009b, "NormalViewHeaderArea"},

 	{0x009f, "InsertBreak"},

 	{0x00a2, "InsertSymbol"},

 	{0x00a4, "InsertFile"},

@@ -218,6 +221,7 @@ void output_token67 (uint16_t token)

 	{0x00cc, "ToolsOptionsView"},

 	{0x00cb, "ToolsOptionsGeneral"},

 	{0x00d1, "ToolsOptionsSave"},

+	{0x00d3, "ToolsOptionsSpelling"},

 	{0x00d5, "ToolsOptionsUserInfo"},

 	{0x00d7, "ToolsMacro"},

 	{0x00de, "Organizer"},

@@ -237,6 +241,8 @@ void output_token67 (uint16_t token)

 	{0x0179, "DrawRectangle"},

 	{0x017a, "ToolsAutoCorrect"},

 	{0x01a4, "Connect"},

+	{0x01a5, "WW2_EditFind"},

+	{0x01a6, "WW2_EditReplace"},

 	{0x01b0, "ToolsCustomizeKeyboard"},

 	{0x01b1, "ToolsCustomizeMenus"},

 	{0x01d2, "DrawBringToFront"},

@@ -291,12 +297,15 @@ void output_token67 (uint16_t token)

 	{0x8025, "FileName$"},

 	{0x8026, "CountFiles"},

 	{0x8027, "GetAutoText$"},

+	{0x8028, "CountAutoTextEntries"},

 	{0x802a, "SetAutoText"},

 	{0x802b, "MsgBox"},

 	{0x802c, "Beep"},

 	{0x802d, "Shell"},

+	{0x802f, "ResetPara"},

 	{0x8032, "DocMove"},

 	{0x8033, "DocSize"},

+	{0x8034, "VLine"},

 	{0x803a, "CountWindows"},

 	{0x803b, "WindowName$"},

 	{0x803e, "Window"},

@@ -324,14 +333,17 @@ void output_token67 (uint16_t token)

 	{0x8063, "AppActivate"},

 	{0x8064, "SendKeys"},

 	{0x806f, "ViewStatusBar"},

-	{0x8075, "ViewNormal"},

+	{0x8071, "ViewRibbon"},

 	{0x8073, "ViewPage"},

+	{0x8075, "ViewNormal"},

+	{0x8079, "Overtype"},

 	{0x807a, "Font$"},

 	{0x807b, "CountOfFonts"},

 	{0x807c, "Font"},

 	{0x807d, "FontSize"},

 	{0x8081, "WW6_EditClear"},

 	{0x8082, "FileList"},

+	{0x8083, "File1"},

 	{0x8098, "ExtendSelection"},

 	{0x809e, "DisableInput"},

 	{0x809f, "DocClose"},

@@ -358,6 +370,7 @@ void output_token67 (uint16_t token)

 	{0x80b9, "CountFoundFiles"},

 	{0x80ba, "FoundFileName$"},

 	{0x80be, "MacroDesc$"},

+	{0x80bf, "CountKeys"},

 	{0x80c1, "KeyMacro$"},

 	{0x80c2, "MacroCopy"},

 	{0x80c3, "IsExecuteOnly"},

@@ -393,6 +406,7 @@ void output_token67 (uint16_t token)

 	{0x80f9, "Year"},

 	{0x80fa, "DocWindowHeight"},

 	{0x80fb, "DocWindowWidth"},

+	{0x80fc, "DOSToWIN$"},

 	{0x80fd, "WinToDOS$"},

 	{0x80ff, "Second"},

 	{0x8100, "TimeValue"},

@@ -400,6 +414,8 @@ void output_token67 (uint16_t token)

 	{0x8103, "SetAttr"},

 	{0x8105, "DocMinimize"},

 	{0x8107, "AppActivate"},

+	{0x8108, "AppCount"},

+	{0x8109, "AppGetNames"},

 	{0x810a, "AppHide"},

 	{0x810b, "AppIsRunning"},

 	{0x810c, "GetSystemInfo$"},

@@ -411,11 +427,13 @@ void output_token67 (uint16_t token)

 	{0x8118, "IsTemplateDirty"},

 	{0x8119, "SetTemplateDirty"},

 	{0x811b, "DlgEnable"},

+	{0x811d, "DlgVisible"},

 	{0x811f, "DlgText$"},

 	{0x8121, "AppShow"},

 	{0x8122, "DlgListBoxArray"},

 	{0x8125, "Picture"},

 	{0x8126, "DlgSetPicture"},

+	{0x8131, "WW2_Files$"},

 	{0x8138, "DlgFocus"},

 	{0x813b, "BorderLineStyle"},

 	{0x813d, "MenuItemText$"},

@@ -441,26 +459,36 @@ void output_token67 (uint16_t token)

 	{0x8172, "GetText$"},

 	{0x8174, "DeleteButton"},

 	{0x8175, "AddButton"},

+	{0x8177, "DeleteAddIn"},

 	{0x8178, "AddAddIn"},

 	{0x8179, "GetAddInName$"},

 	{0x817c, "ResetButtonImage"},

 	{0x8180, "GetAddInId"},

 	{0x8181, "CountAddIns"},

+	{0x8182, "ClearAddIns"},

 	{0x8183, "AddInState"},

 	{0x818c, "DefaultDir$"},

 	{0x818d, "FileNameInfo$"},

 	{0x818e, "MacroFileName$"},

 	{0x818f, "ViewHeader"},

 	{0x8190, "ViewFooter"},

+	{0x8192, "CopyButtonImage"},

 	{0x8195, "CountToolbars"},

 	{0x8196, "ToolbarName$"},

 	{0x8198, "ChDefaultDir"},

 	{0x8199, "EditUndo"},

+	{0x81a0, "GetAutoCorrect$"},

 	{0x81a2, "FileQuit"},

 	{0x81a4, "FileConfirmConversions"},

+	{0x81d3, "SelectionFileName$"},

 	{0x81d9, "CountToolbarButtons"},

 	{0x81da, "ToolbarButtonMacro$"},

+	{0x81db, "WW2_Insert"},

 	{0x81dc, "AtEndOfDocument"},

+	{0x81fc, "GetDocumentProperty$"},

+	{0x81fd, "GetDocumentProperty"},

+	{0x8201, "DocumentPropertyName$"},

+	{0x820e, "SpellChecked"},

 	{0xb780, "CountMacros"},

 	{0xb880, "MacroName$"},

 	{0xc000, "CharLeft"},

@@ -506,6 +534,7 @@ void output_token73 (uint16_t token)

 	{0x0008, ".MenuText"},

 	{0x0009, ".APPUSERNAME"},

 	{0x000b, ".Delete"},

+	{0x000c, ".Sort"},

 	{0x0012, ".SavedBy"},

 	{0x0014, ".DateCreatedFrom"},

 	{0x0015, ".DateCreatedTo"},

@@ -519,6 +548,7 @@ void output_token73 (uint16_t token)

 	{0x0025, ".Italic"},

 	{0x0027, ".Hidden"},

 	{0x0028, ".Underline"},

+	{0x0029, ".Outline"},

 	{0x002b, ".Position"},

 	{0x002d, ".Spacing"},

 	{0x002f, ".Printer"},

@@ -533,6 +563,7 @@ void output_token73 (uint16_t token)

 	{0x003d, ".Hyphens"},

 	{0x003e, ".ShowAll"},

 	{0x0041, ".TextBoundaries"},

+	{0x0043, ".VScroll"},

 	{0x0046, ".PageWidth"},

 	{0x0047, ".PageHeight"},

 	{0x0049, ".TopMargin"},

@@ -562,17 +593,24 @@ void output_token73 (uint16_t token)

 	{0x0075, ".NewName"},

 	{0x0078, ".SmartQuotes"},

 	{0x007f, ".Source"},

+	{0x0080, ".Reference"},

 	{0x0085, ".Insert"},

 	{0x0086, ".Destination"},

 	{0x0087, ".Type"},

+	{0x0089, ".HeaderDistance"},

+	{0x008a, ".FooterDistance"},

+	{0x008b, ".FirstPage"},

+	{0x008c, ".OddAndEvenPages"},

 	{0x0091, ".Entry"},

 	{0x0092, ".Range"},

 	{0x0095, ".Link"},

 	{0x0098, ".Add"},

 	{0x009b, ".NewTemplate"},

+	{0x009f, ".ReadOnly"},

 	{0x00a1, ".LeftIndent"},

 	{0x00a2, ".RightIndent"},

 	{0x00a3, ".FirstIndent"},

+	{0x00a5, ".After"},

 	{0x00b9, ".NumCopies"},

 	{0x00ba, ".From"},

 	{0x00bb, ".To"},

@@ -583,6 +621,7 @@ void output_token73 (uint16_t token)

 	{0x00d7, ".CreateBackup"},

 	{0x00d8, ".LockAnnot"},

 	{0x00d9, ".Direction"},

+	{0x00ff, ".SuggestFromMainDictOnly"},

 	{0x012b, ".UpdateLinks"},

 	{0x012e, ".Update"},

 	{0x0131, ".Text"},

@@ -591,6 +630,7 @@ void output_token73 (uint16_t token)

 	{0x013b, ".AllCaps"},

 	{0x0148, ".Category"},

 	{0x0149, ".ConfirmConversions"},

+	{0x014c, ".StatusBar"},

 	{0x014d, ".PicturePlaceHolders"},

 	{0x014e, ".FieldCodes"},

 	{0x0150, ".Show"},

@@ -600,11 +640,18 @@ void output_token73 (uint16_t token)

 	{0x017d, ".Wrap"},

 	{0x0183, ".AutoFit"},

 	{0x0184, ".CharNum"},

+	{0x018b, ".View"},

+	{0x0190, ".Options"},

 	{0x0194, ".Find"},

 	{0x0196, ".Path"},

 	{0x01a8, ".Background"},

 	{0x01a9, ".SearchPath"},

+	{0x01ab, ".CustomDict1"},

+	{0x01ac, ".CustomDict2"},

+	{0x01ad, ".CustomDict3"},

+	{0x01ae, ".CustomDict4"},

 	{0x01b1, ".Collate"},

+	{0x01b2, ".Shadow"},

 	{0x01b4, ".Button"},

 	{0x01b9, ".Remove"},

 	{0x01ba, ".Protect"},

@@ -614,6 +661,7 @@ void output_token73 (uint16_t token)

 	{0x01df, ".Toolbar"},

 	{0x01e0, ".ReplaceAll"},

 	{0x01eb, ".Address"},

+	{0x01f4, ".SelectedFile"},

 	{0x01f5, ".Run"},

 	{0x01f6, ".Edit"},

 	{0x0218, ".LastSaved"},

@@ -625,7 +673,14 @@ void output_token73 (uint16_t token)

 	{0x0234, ".SetDesc"},

 	{0x023d, ".CountFootNodes"},

 	{0x0255, ".AddToMru"},

+	{0x0262, ".NoteTypes"},

 	{0x0272, ".With"},

+	{0x0275, ".CustoDict5"},

+	{0x0276, ".CustoDict6"},

+	{0x0277, ".CustoDict7"},

+	{0x0278, ".CustoDict8"},

+	{0x0279, ".CustoDict9"},

+	{0x027a, ".CustoDict10"},

 	{0x027e, ".ErrorBeeps"},

 	{0x0285, ".Goto"},

 	{0x0287, ".Copy"},

@@ -678,6 +733,7 @@ void output_token73 (uint16_t token)

 	{0x0355, ".TextFormat"},

 	{0x0366, ".SearchName"},

 	{0x0370, ".BlueScreen"},

+	{0x0377, ".ListBy"},

 	{0x0378, ".SubDir"},

 	{0x0388, ".HorizontalPos"},

 	{0x0389, ".HorizontalFrom"},

@@ -687,6 +743,7 @@ void output_token73 (uint16_t token)

 	{0x039a, ".Strikethrough"},

 	{0x039b, ".Face"},

 	{0x039d, ".NativePictureFormat"},

+	{0x039e, ".FileSize"},

 	{0x03a2, ".LineType"},

 	{0x03a4, ".DisplayIcon"},

 	{0x03a8, ".IconFilename"},