@@ -1,3 +1,8 @@

+Wed Nov 26 12:22:55 CET 2008 (tk)

+---------------------------------

+ * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()

+			(bb#1266)

+

 Tue Nov 25 21:51:30 CET 2008 (tk)

 ---------------------------------

  * freshclam/manager.c: in non-dns mode use date from cvd header instead of

@@ -1334,13 +1334,13 @@ static int cli_scanriff(int desc, const char **virname)

     return ret;

 }

-static int cli_scanjpeg(int desc, const char **virname)

+static int cli_scanjpeg(int desc, cli_ctx *ctx)

 {

 	int ret = CL_CLEAN;

-    if(cli_check_jpeg_exploit(desc) == 1) {

+    if(cli_check_jpeg_exploit(desc, ctx) == 1) {

 	ret = CL_VIRUS;

-	*virname = "Exploit.W32.MS04-028";

+	*ctx->virname = "Exploit.W32.MS04-028";

     }

     return ret;

@@ -2020,7 +2020,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)

 	case CL_TYPE_GRAPHICS:

 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))

-		ret = cli_scanjpeg(desc, ctx->virname);

+		ret = cli_scanjpeg(desc, ctx);

 	    break;

         case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */

@@ -85,7 +85,7 @@ int cli_check_mydoom_log(int desc, const char **virname)

     return retval;

 }

-static int jpeg_check_photoshop_8bim(int fd)

+static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)

 {

 	unsigned char bim[5];

 	uint16_t id, ntmp;

@@ -140,7 +140,7 @@ static int jpeg_check_photoshop_8bim(int fd)

 	/* Jump past header */

 	lseek(fd, 28, SEEK_CUR);

-	retval = cli_check_jpeg_exploit(fd);

+	retval = cli_check_jpeg_exploit(fd, ctx);

 	if (retval == 1) {

 		cli_dbgmsg("Exploit found in thumbnail\n");

 	}

@@ -149,7 +149,7 @@ static int jpeg_check_photoshop_8bim(int fd)

 	return retval;

 }

-static int jpeg_check_photoshop(int fd)

+static int jpeg_check_photoshop(int fd, cli_ctx *ctx)

 {

 	int retval;

 	unsigned char buffer[14];

@@ -166,7 +166,7 @@ static int jpeg_check_photoshop(int fd)

 	cli_dbgmsg("Found Photoshop segment\n");

 	do {

 		old = lseek(fd, 0, SEEK_CUR);

-		retval = jpeg_check_photoshop_8bim(fd);

+		retval = jpeg_check_photoshop_8bim(fd, ctx);

 		new = lseek(fd, 0, SEEK_CUR);

 		if(new <= old)

 			break;

@@ -178,7 +178,7 @@ static int jpeg_check_photoshop(int fd)

 	return retval;

 }

-int cli_check_jpeg_exploit(int fd)

+int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)

 {

 	unsigned char buffer[4];

 	off_t offset;

@@ -186,6 +186,8 @@ int cli_check_jpeg_exploit(int fd)

 	cli_dbgmsg("in cli_check_jpeg_exploit()\n");

+	if(ctx->recursion > ctx->limits->maxreclevel)

+	    return CL_EMAXREC;

 	if (cli_readn(fd, buffer, 2) != 2) {

 		return 0;

@@ -229,9 +231,11 @@ int cli_check_jpeg_exploit(int fd)

 		if (buffer[1] == 0xed) {

 			/* Possible Photoshop file */

-			if ((retval=jpeg_check_photoshop(fd)) != 0) {

+			ctx->recursion++;

+			retval=jpeg_check_photoshop(fd, ctx);

+			ctx->recursion--;

+			if (retval != 0)

 				return retval;

-			}

 		}

 		if (lseek(fd, offset, SEEK_SET) != offset) {

@@ -21,8 +21,10 @@

 #ifndef __SPECIAL_H

 #define __SPECIAL_H

+#include "others.h"

+

 int cli_check_mydoom_log(int desc, const char **virname);

-int cli_check_jpeg_exploit(int fd);

+int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);

 int cli_check_riff_exploit(int fd);

 #endif