git-svn: trunk@3128
Tomasz Kojm authored on 2007/07/11 06:14:09... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Tue Jul 10 22:11:11 CEST 2007 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/ole2_extract.c: better processing of data blocks (bb#559) |
|
4 |
+ Reported by Victor Stinner, patch from Trog |
|
5 |
+ |
|
1 | 6 |
Tue Jul 10 22:02:15 CEST 2007 (tk) |
2 | 7 |
---------------------------------- |
3 | 8 |
* libclamav/unrar/unrarvm.c: fix possible crash with corrupted archives (bb#555) |
... | ... |
@@ -102,6 +102,7 @@ typedef struct ole2_header_tag |
102 | 102 |
unsigned char *m_area; |
103 | 103 |
off_t m_length; |
104 | 104 |
bitset_t *bitset; |
105 |
+ uint32_t max_block_no; |
|
105 | 106 |
} ole2_header_t; |
106 | 107 |
|
107 | 108 |
typedef struct property_tag |
... | ... |
@@ -647,6 +648,13 @@ static int handler_writefile(int fd, ole2_header_t *hdr, property_t *prop, const |
647 | 647 |
return FALSE; |
648 | 648 |
} |
649 | 649 |
while((current_block >= 0) && (len > 0)) { |
650 |
+ if (current_block > hdr->max_block_no) { |
|
651 |
+ cli_dbgmsg("OLE2: Max block number for file size exceeded: %d\n", current_block); |
|
652 |
+ close(ofd); |
|
653 |
+ free(buff); |
|
654 |
+ cli_bitset_free(blk_bitset); |
|
655 |
+ return FALSE; |
|
656 |
+ } |
|
650 | 657 |
/* Check we aren't in a loop */ |
651 | 658 |
if (cli_bitset_test(blk_bitset, (unsigned long) current_block)) { |
652 | 659 |
/* Loop in block list */ |
... | ... |
@@ -781,15 +789,16 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
781 | 781 |
|
782 | 782 |
/* size of header - size of other values in struct */ |
783 | 783 |
hdr_size = sizeof(struct ole2_header_tag) - sizeof(int32_t) - |
784 |
- sizeof(unsigned char *) - sizeof(off_t) - sizeof(bitset_t *); |
|
784 |
+ sizeof(unsigned char *) - sizeof(off_t) - sizeof(bitset_t *) - |
|
785 |
+ sizeof(uint32_t); |
|
785 | 786 |
|
786 | 787 |
hdr.m_area = NULL; |
787 | 788 |
|
788 |
-#ifdef HAVE_MMAP |
|
789 | 789 |
if (fstat(fd, &statbuf) == 0) { |
790 | 790 |
if (statbuf.st_size < hdr_size) { |
791 | 791 |
return 0; |
792 | 792 |
} |
793 |
+#ifdef HAVE_MMAP |
|
793 | 794 |
hdr.m_length = statbuf.st_size; |
794 | 795 |
hdr.m_area = (unsigned char *) mmap(NULL, hdr.m_length, PROT_READ, MAP_PRIVATE, fd, 0); |
795 | 796 |
if (hdr.m_area == MAP_FAILED) { |
... | ... |
@@ -798,8 +807,8 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
798 | 798 |
cli_dbgmsg("mmap'ed file\n"); |
799 | 799 |
memcpy(&hdr, hdr.m_area, hdr_size); |
800 | 800 |
} |
801 |
- } |
|
802 | 801 |
#endif |
802 |
+ } |
|
803 | 803 |
|
804 | 804 |
if (hdr.m_area == NULL) { |
805 | 805 |
#if defined(HAVE_ATTRIB_PACKED) || defined(HAVE_PRAGMA_PACK) || defined(HAVE_PRAGMA_PACK_HPPA) |
... | ... |
@@ -827,6 +836,8 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
827 | 827 |
hdr.xbat_count = ole2_endian_convert_32(hdr.xbat_count); |
828 | 828 |
|
829 | 829 |
hdr.sbat_root_start = -1; |
830 |
+ /* 8 SBAT blocks per file block */ |
|
831 |
+ hdr.max_block_no = ((statbuf.st_size / hdr.log2_big_block_size) + 1) * 8; |
|
830 | 832 |
|
831 | 833 |
hdr.bitset = cli_bitset_init(); |
832 | 834 |
if (!hdr.bitset) { |
... | ... |
@@ -858,6 +869,7 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
858 | 858 |
} |
859 | 859 |
|
860 | 860 |
print_ole2_header(&hdr); |
861 |
+ cli_dbgmsg("Max block number: %lu\n", hdr.max_block_no); |
|
861 | 862 |
|
862 | 863 |
/* NOTE: Select only ONE of the following two methods */ |
863 | 864 |
|