git-svn-id: file:///var/lib/svn/clamav-devel/branches/clamav-0.94@4478 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2008/11/26 20:21:49... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Wed Nov 26 12:22:55 CET 2008 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit() |
|
4 |
+ (bb#1266) |
|
5 |
+ |
|
1 | 6 |
Tue Nov 25 21:51:30 CET 2008 (tk) |
2 | 7 |
--------------------------------- |
3 | 8 |
* freshclam/manager.c: in non-dns mode use date from cvd header instead of |
... | ... |
@@ -1334,13 +1334,13 @@ static int cli_scanriff(int desc, const char **virname) |
1334 | 1334 |
return ret; |
1335 | 1335 |
} |
1336 | 1336 |
|
1337 |
-static int cli_scanjpeg(int desc, const char **virname) |
|
1337 |
+static int cli_scanjpeg(int desc, cli_ctx *ctx) |
|
1338 | 1338 |
{ |
1339 | 1339 |
int ret = CL_CLEAN; |
1340 | 1340 |
|
1341 |
- if(cli_check_jpeg_exploit(desc) == 1) { |
|
1341 |
+ if(cli_check_jpeg_exploit(desc, ctx) == 1) { |
|
1342 | 1342 |
ret = CL_VIRUS; |
1343 |
- *virname = "Exploit.W32.MS04-028"; |
|
1343 |
+ *ctx->virname = "Exploit.W32.MS04-028"; |
|
1344 | 1344 |
} |
1345 | 1345 |
|
1346 | 1346 |
return ret; |
... | ... |
@@ -2020,7 +2020,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx) |
2020 | 2020 |
|
2021 | 2021 |
case CL_TYPE_GRAPHICS: |
2022 | 2022 |
if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG)) |
2023 |
- ret = cli_scanjpeg(desc, ctx->virname); |
|
2023 |
+ ret = cli_scanjpeg(desc, ctx); |
|
2024 | 2024 |
break; |
2025 | 2025 |
|
2026 | 2026 |
case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */ |
... | ... |
@@ -85,7 +85,7 @@ int cli_check_mydoom_log(int desc, const char **virname) |
85 | 85 |
return retval; |
86 | 86 |
} |
87 | 87 |
|
88 |
-static int jpeg_check_photoshop_8bim(int fd) |
|
88 |
+static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx) |
|
89 | 89 |
{ |
90 | 90 |
unsigned char bim[5]; |
91 | 91 |
uint16_t id, ntmp; |
... | ... |
@@ -140,7 +140,7 @@ static int jpeg_check_photoshop_8bim(int fd) |
140 | 140 |
/* Jump past header */ |
141 | 141 |
lseek(fd, 28, SEEK_CUR); |
142 | 142 |
|
143 |
- retval = cli_check_jpeg_exploit(fd); |
|
143 |
+ retval = cli_check_jpeg_exploit(fd, ctx); |
|
144 | 144 |
if (retval == 1) { |
145 | 145 |
cli_dbgmsg("Exploit found in thumbnail\n"); |
146 | 146 |
} |
... | ... |
@@ -149,7 +149,7 @@ static int jpeg_check_photoshop_8bim(int fd) |
149 | 149 |
return retval; |
150 | 150 |
} |
151 | 151 |
|
152 |
-static int jpeg_check_photoshop(int fd) |
|
152 |
+static int jpeg_check_photoshop(int fd, cli_ctx *ctx) |
|
153 | 153 |
{ |
154 | 154 |
int retval; |
155 | 155 |
unsigned char buffer[14]; |
... | ... |
@@ -166,7 +166,7 @@ static int jpeg_check_photoshop(int fd) |
166 | 166 |
cli_dbgmsg("Found Photoshop segment\n"); |
167 | 167 |
do { |
168 | 168 |
old = lseek(fd, 0, SEEK_CUR); |
169 |
- retval = jpeg_check_photoshop_8bim(fd); |
|
169 |
+ retval = jpeg_check_photoshop_8bim(fd, ctx); |
|
170 | 170 |
new = lseek(fd, 0, SEEK_CUR); |
171 | 171 |
if(new <= old) |
172 | 172 |
break; |
... | ... |
@@ -178,7 +178,7 @@ static int jpeg_check_photoshop(int fd) |
178 | 178 |
return retval; |
179 | 179 |
} |
180 | 180 |
|
181 |
-int cli_check_jpeg_exploit(int fd) |
|
181 |
+int cli_check_jpeg_exploit(int fd, cli_ctx *ctx) |
|
182 | 182 |
{ |
183 | 183 |
unsigned char buffer[4]; |
184 | 184 |
off_t offset; |
... | ... |
@@ -186,6 +186,8 @@ int cli_check_jpeg_exploit(int fd) |
186 | 186 |
|
187 | 187 |
|
188 | 188 |
cli_dbgmsg("in cli_check_jpeg_exploit()\n"); |
189 |
+ if(ctx->recursion > ctx->limits->maxreclevel) |
|
190 |
+ return CL_EMAXREC; |
|
189 | 191 |
|
190 | 192 |
if (cli_readn(fd, buffer, 2) != 2) { |
191 | 193 |
return 0; |
... | ... |
@@ -229,9 +231,11 @@ int cli_check_jpeg_exploit(int fd) |
229 | 229 |
|
230 | 230 |
if (buffer[1] == 0xed) { |
231 | 231 |
/* Possible Photoshop file */ |
232 |
- if ((retval=jpeg_check_photoshop(fd)) != 0) { |
|
232 |
+ ctx->recursion++; |
|
233 |
+ retval=jpeg_check_photoshop(fd, ctx); |
|
234 |
+ ctx->recursion--; |
|
235 |
+ if (retval != 0) |
|
233 | 236 |
return retval; |
234 |
- } |
|
235 | 237 |
} |
236 | 238 |
|
237 | 239 |
if (lseek(fd, offset, SEEK_SET) != offset) { |
... | ... |
@@ -21,8 +21,10 @@ |
21 | 21 |
#ifndef __SPECIAL_H |
22 | 22 |
#define __SPECIAL_H |
23 | 23 |
|
24 |
+#include "others.h" |
|
25 |
+ |
|
24 | 26 |
int cli_check_mydoom_log(int desc, const char **virname); |
25 |
-int cli_check_jpeg_exploit(int fd); |
|
27 |
+int cli_check_jpeg_exploit(int fd, cli_ctx *ctx); |
|
26 | 28 |
int cli_check_riff_exploit(int fd); |
27 | 29 |
|
28 | 30 |
#endif |