@@ -853,6 +853,16 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     val = cl_engine_get_num(engine, CL_ENGINE_MAX_ZIPTYPERCG, NULL);

     logg("Limits: MaxZipTypeRcg limit set to %llu bytes.\n", val);

+    if((opt = optget(opts, "MaxPartitions"))->active) {

+        if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_PARTITIONS, opt->numarg))) {

+            logg("!cli_engine_set_num(MaxPartitions) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_PARTITIONS, NULL);

+    logg("Limits: MaxPartitions limit set to %llu.\n", val);

+

     if(optget(opts, "ScanArchive")->enabled) {

 	logg("Archive support enabled.\n");

 	options |= CL_SCAN_ARCHIVE;

@@ -952,6 +962,11 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

 	}

     }

+    if(optget(opts,"PartitionIntersection")->enabled) {

+        options |= CL_SCAN_PARTITION_INTXN;

+        logg("Raw DMG: Always checking for partitons intersections\n");

+    }

+

     if(optget(opts,"HeuristicScanPrecedence")->enabled) {

 	    options |= CL_SCAN_HEURISTIC_PRECEDENCE;

 	    logg("Heuristic: precedence enabled\n");

@@ -823,6 +823,14 @@ int scanmanager(const struct optstruct *opts)

 	}

     }

+    if((opt = optget(opts, "max-partitions"))->active) {

+	if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_PARTITIONS, opt->numarg))) {

+	    logg("!cli_engine_set_num(CL_ENGINE_MAX_PARTITIONS) failed: %s\n", cl_strerror(ret));

+	    cl_engine_free(engine);

+	    return 2;

+	}

+    }

+

     /* set scan options */

     if(optget(opts, "allmatch")->enabled)

 	options |= CL_SCAN_ALLMATCHES;

@@ -833,6 +841,9 @@ int scanmanager(const struct optstruct *opts)

     if(optget(opts,"phishing-cloak")->enabled)

 	options |= CL_SCAN_PHISHING_BLOCKCLOAK;

+    if(optget(opts,"partition-intersection")->enabled)

+	options |= CL_SCAN_PARTITION_INTXN;

+

     if(optget(opts,"heuristic-scan-precedence")->enabled)

 	options |= CL_SCAN_HEURISTIC_PRECEDENCE;

@@ -150,6 +150,7 @@ typedef enum {

 #define CL_SCAN_BLOCKMACROS		0x100000

 #define CL_SCAN_ALLMATCHES		0x200000

 #define CL_SCAN_SWF			0x400000

+#define CL_SCAN_PARTITION_INTXN         0x800000

 #define CL_SCAN_PERFORMANCE_INFO        0x40000000 /* collect performance timings */

 #define CL_SCAN_INTERNAL_COLLECT_SHA    0x80000000 /* Enables hash output in sha-collect builds - for internal use only */

@@ -204,7 +205,8 @@ enum cl_engine_field {

     CL_ENGINE_MAX_ZIPTYPERCG,       /* uint64_t */

     CL_ENGINE_FORCETODISK,          /* uint32_t */

     CL_ENGINE_DISABLE_CACHE,        /* uint32_t */

-    CL_ENGINE_DISABLE_PE_STATS      /* uint32_t */

+    CL_ENGINE_DISABLE_PE_STATS,     /* uint32_t */

+    CL_ENGINE_MAX_PARTITIONS        /* uint32_t */

 };

 enum bytecode_security {

@@ -410,6 +410,9 @@ struct cl_engine *cl_engine_new(void)

     new->cb_stats_get_size = clamav_stats_get_size;

     new->cb_stats_get_hostid = clamav_stats_get_hostid;

+    /* Setup raw dmg max settings */

+    new->maxpartitions = 50;

+

     cli_dbgmsg("Initialized %s engine\n", cl_retver());

     return new;

 }

@@ -542,6 +545,9 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long

             engine->engine_options &= ~(ENGINE_OPTIONS_DISABLE_PE_STATS);

         }

         break;

+    case CL_ENGINE_MAX_PARTITIONS:

+        engine->maxpartitions = (uint32_t)num;

+        break;

 	default:

 	    cli_errmsg("cl_engine_set_num: Incorrect field number\n");

 	    return CL_EARG;

@@ -609,6 +615,8 @@ long long cl_engine_get_num(const struct cl_engine *engine, enum cl_engine_field

 	    return engine->bytecode_mode;

     case CL_ENGINE_DISABLE_CACHE:

         return engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE;

+    case CL_ENGINE_MAX_PARTITIONS:

+        return engine->maxpartitions;

 	default:

 	    cli_errmsg("cl_engine_get: Incorrect field number\n");

 	    if(err)

@@ -715,6 +723,8 @@ struct cl_settings *cl_engine_settings_copy(const struct cl_engine *engine)

     settings->cb_stats_get_size = engine->cb_stats_get_size;

     settings->cb_stats_get_hostid = engine->cb_stats_get_hostid;

+    settings->maxpartitions = engine->maxpartitions;

+

     return settings;

 }

@@ -785,6 +795,8 @@ int cl_engine_settings_apply(struct cl_engine *engine, const struct cl_settings

     engine->cb_stats_get_size = settings->cb_stats_get_size;

     engine->cb_stats_get_hostid = settings->cb_stats_get_hostid;

+    engine->maxpartitions = settings->maxpartitions;

+

     return CL_SUCCESS;

 }

@@ -327,6 +327,9 @@ struct cl_engine {

     clcb_stats_get_num cb_stats_get_num;

     clcb_stats_get_size cb_stats_get_size;

     clcb_stats_get_hostid cb_stats_get_hostid;

+

+    /* Raw dmg max settings */

+    uint32_t maxpartitions;

 };

 struct cl_settings {

@@ -378,6 +381,9 @@ struct cl_settings {

     clcb_stats_get_num cb_stats_get_num;

     clcb_stats_get_size cb_stats_get_size;

     clcb_stats_get_hostid cb_stats_get_hostid;

+

+    /* Raw dmg max settings */

+    uint32_t maxpartitions;

 };

 extern int (*cli_unrar_open)(int fd, const char *dirname, unrar_state_t *state);

new file mode 100644

@@ -0,0 +1,103 @@

+/*

+ *  Copyright (C) 2014 Sourcefire, Inc.

+ *

+ *  Authors: Kevin Lin <klin@sourcefire.com>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include "cltypes.h"

+#include "others.h"

+#include "prtn_intxn.h"

+

+static int prtn_intxn_list_is_empty(prtn_intxn_list_t* list)

+{

+    return (list->Head == NULL);

+}

+

+int prtn_intxn_list_init(prtn_intxn_list_t* list)

+{

+    list->Head = NULL;

+    list->Size = 0;

+    return CL_SUCCESS;

+}

+

+int prtn_intxn_list_check(prtn_intxn_list_t* list, unsigned *pitxn, off_t start, size_t size)

+{

+    prtn_intxn_node_t *new_node, *check_node;

+    int ret = CL_CLEAN;

+

+    *pitxn = list->Size;

+

+    check_node = list->Head;

+    while (check_node != NULL) {

+        (*pitxn)--;

+

+        if (start > check_node->Start) {

+            if (check_node->Start+check_node->Size > start) {

+                ret = CL_VIRUS;

+                break;

+            }

+        }

+        else if (start < check_node->Start) {

+            if (start+size > check_node->Start) {

+                ret = CL_VIRUS;

+                break;

+            }

+        }

+        else {

+            ret = CL_VIRUS;

+            break;

+        }

+

+        check_node = check_node->Next;

+    }

+

+    /* allocate new node for partition bounds */

+    new_node = (prtn_intxn_node_t *) cli_malloc(sizeof(prtn_intxn_node_t));

+    if (!new_node) {

+        cli_dbgmsg("PRTN_INTXN: could not allocate new node for checklist!\n");

+        prtn_intxn_list_free(list);

+        return CL_EMEM;

+    }

+

+    new_node->Start = start;

+    new_node->Size = size;

+    new_node->Next = list->Head;

+

+    list->Head = new_node;

+    (list->Size)++;

+    return ret;

+}

+

+int prtn_intxn_list_free(prtn_intxn_list_t* list)

+{

+    prtn_intxn_node_t *next = NULL;

+

+    while (!prtn_intxn_list_is_empty(list)) {

+        next = list->Head->Next;

+

+        free(list->Head);

+

+        list->Head = next;

+        list->Size--;

+    }

+

+    return CL_SUCCESS;

+}

new file mode 100644

@@ -0,0 +1,47 @@

+/*

+ *  Copyright (C) 2014 Sourcefire, Inc.

+ *

+ *  Authors: Kevin Lin <klin@sourcefire.com>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#ifndef __PRTN_INTXN_H

+#define __PRTN_INTXN_H

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include "cltypes.h"

+#include "others.h"

+

+struct prtn_intxn_node;

+typedef struct prtn_intxn_node {

+    off_t Start;

+    size_t Size;

+    struct prtn_intxn_node *Next;

+} prtn_intxn_node_t;

+

+typedef struct prtn_intxn_list {

+    struct prtn_intxn_node *Head;

+    size_t Size; /* for debug */

+} prtn_intxn_list_t;

+

+int prtn_intxn_list_init(prtn_intxn_list_t *list);

+int prtn_intxn_list_check(prtn_intxn_list_t *list, unsigned *pitxn, off_t start, size_t size);

+int prtn_intxn_list_free(prtn_intxn_list_t *list);

+

+#endif

@@ -319,6 +319,8 @@ const struct clam_option __clam_options[] = {

     { "PhishingAlwaysBlockSSLMismatch", "phishing-ssl", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Always block SSL mismatches in URLs, even if they're not in the database.\nThis feature can lead to false positives.", "" },

+    { "PartitionIntersection", "partition-intersection", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect partition intersections in raw dmgs using heuristics.", "yes" },

+

     { "HeuristicScanPrecedence", "heuristic-scan-precedence", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Allow heuristic match to take precedence.\nWhen enabled, if a heuristic scan (such as phishingScan) detects\na possible virus/phish it will stop scan immediately. Recommended, saves CPU\nscan-time.\nWhen disabled, virus/phish detected by heuristic scans will be reported only\nat the end of a scan. If an archive contains both a heuristically detected\nvirus/phish, and a real malware, the real malware will be reported.\nKeep this disabled if you intend to handle \"*.Heuristics.*\" viruses\ndifferently from \"real\" malware.\nIf a non-heuristically-detected virus (signature-based) is found first,\nthe scan is interrupted immediately, regardless of this config option.", "yes" },

     { "StructuredDataDetection", "detect-structured", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Enable the Data Loss Prevention module.", "no" },

@@ -366,6 +368,8 @@ const struct clam_option __clam_options[] = {

     { "MaxZipTypeRcg", "max-ziptypercg", 0, TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXZIPTYPERCG, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum size of a ZIP file to reanalyze type recognition.\nZIP files larger than this value will skip the step to potentially reanalyze as PE.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "1M" },

+    { "MaxPartitions", "max-partitions", 0, TYPE_NUMBER, MATCH_NUMBER, 50, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum number of partitions of a raw DMG to be scanned.\nRaw DMGs with more partitions than this value will have up to the value number partitions scanned.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "128" },

+

     /* OnAccess settings */

     { "ScanOnAccess", NULL, 0, TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD, "This option enables on-access scanning (Linux only)", "no" },