Browse code
better processing of data blocks (bb#559)
| ... | ... |
@@ -1,3 +1,8 @@ |
| 1 |
+Tue Jul 10 22:11:11 CEST 2007 (tk) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav/ole2_extract.c: better processing of data blocks (bb#559) |
|
| 4 |
+ Reported by Victor Stinner, patch from Trog |
|
| 5 |
+ |
|
| 1 | 6 |
Tue Jul 10 22:02:15 CEST 2007 (tk) |
| 2 | 7 |
---------------------------------- |
| 3 | 8 |
* libclamav/unrar/unrarvm.c: fix possible crash with corrupted archives (bb#555) |
| ... | ... |
@@ -102,6 +102,7 @@ typedef struct ole2_header_tag |
| 102 | 102 |
unsigned char *m_area; |
| 103 | 103 |
off_t m_length; |
| 104 | 104 |
bitset_t *bitset; |
| 105 |
+ uint32_t max_block_no; |
|
| 105 | 106 |
} ole2_header_t; |
| 106 | 107 |
|
| 107 | 108 |
typedef struct property_tag |
| ... | ... |
@@ -647,6 +648,13 @@ static int handler_writefile(int fd, ole2_header_t *hdr, property_t *prop, const |
| 647 | 647 |
return FALSE; |
| 648 | 648 |
} |
| 649 | 649 |
while((current_block >= 0) && (len > 0)) {
|
| 650 |
+ if (current_block > hdr->max_block_no) {
|
|
| 651 |
+ cli_dbgmsg("OLE2: Max block number for file size exceeded: %d\n", current_block);
|
|
| 652 |
+ close(ofd); |
|
| 653 |
+ free(buff); |
|
| 654 |
+ cli_bitset_free(blk_bitset); |
|
| 655 |
+ return FALSE; |
|
| 656 |
+ } |
|
| 650 | 657 |
/* Check we aren't in a loop */ |
| 651 | 658 |
if (cli_bitset_test(blk_bitset, (unsigned long) current_block)) {
|
| 652 | 659 |
/* Loop in block list */ |
| ... | ... |
@@ -781,15 +789,16 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
| 781 | 781 |
|
| 782 | 782 |
/* size of header - size of other values in struct */ |
| 783 | 783 |
hdr_size = sizeof(struct ole2_header_tag) - sizeof(int32_t) - |
| 784 |
- sizeof(unsigned char *) - sizeof(off_t) - sizeof(bitset_t *); |
|
| 784 |
+ sizeof(unsigned char *) - sizeof(off_t) - sizeof(bitset_t *) - |
|
| 785 |
+ sizeof(uint32_t); |
|
| 785 | 786 |
|
| 786 | 787 |
hdr.m_area = NULL; |
| 787 | 788 |
|
| 788 |
-#ifdef HAVE_MMAP |
|
| 789 | 789 |
if (fstat(fd, &statbuf) == 0) {
|
| 790 | 790 |
if (statbuf.st_size < hdr_size) {
|
| 791 | 791 |
return 0; |
| 792 | 792 |
} |
| 793 |
+#ifdef HAVE_MMAP |
|
| 793 | 794 |
hdr.m_length = statbuf.st_size; |
| 794 | 795 |
hdr.m_area = (unsigned char *) mmap(NULL, hdr.m_length, PROT_READ, MAP_PRIVATE, fd, 0); |
| 795 | 796 |
if (hdr.m_area == MAP_FAILED) {
|
| ... | ... |
@@ -798,8 +807,8 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
| 798 | 798 |
cli_dbgmsg("mmap'ed file\n");
|
| 799 | 799 |
memcpy(&hdr, hdr.m_area, hdr_size); |
| 800 | 800 |
} |
| 801 |
- } |
|
| 802 | 801 |
#endif |
| 802 |
+ } |
|
| 803 | 803 |
|
| 804 | 804 |
if (hdr.m_area == NULL) {
|
| 805 | 805 |
#if defined(HAVE_ATTRIB_PACKED) || defined(HAVE_PRAGMA_PACK) || defined(HAVE_PRAGMA_PACK_HPPA) |
| ... | ... |
@@ -827,6 +836,8 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
| 827 | 827 |
hdr.xbat_count = ole2_endian_convert_32(hdr.xbat_count); |
| 828 | 828 |
|
| 829 | 829 |
hdr.sbat_root_start = -1; |
| 830 |
+ /* 8 SBAT blocks per file block */ |
|
| 831 |
+ hdr.max_block_no = ((statbuf.st_size / hdr.log2_big_block_size) + 1) * 8; |
|
| 830 | 832 |
|
| 831 | 833 |
hdr.bitset = cli_bitset_init(); |
| 832 | 834 |
if (!hdr.bitset) {
|
| ... | ... |
@@ -858,6 +869,7 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
| 858 | 858 |
} |
| 859 | 859 |
|
| 860 | 860 |
print_ole2_header(&hdr); |
| 861 |
+ cli_dbgmsg("Max block number: %lu\n", hdr.max_block_no);
|
|
| 861 | 862 |
|
| 862 | 863 |
/* NOTE: Select only ONE of the following two methods */ |
| 863 | 864 |
|