git-svn: trunk@3066
Nigel Horne authored on 2007/05/26 20:11:02... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Sat May 26 11:34:19 BST 2007 (njh) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/pdf.c: Fix OOM, pointed out by TK |
|
4 |
+ |
|
1 | 5 |
Sat May 26 12:45:00 EEST 2007 (edwin) |
2 | 6 |
---------------------------------- |
3 | 7 |
* libclamav/regex_list.c: cli_realloc() for matcher->root_hosts |
... | ... |
@@ -78,7 +78,7 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
78 | 78 |
const char *xrefstart; /* cross reference table */ |
79 | 79 |
/*size_t xreflength;*/ |
80 | 80 |
int rc = CL_CLEAN; |
81 |
- struct table *md5table; |
|
81 |
+ table_t *md5table; |
|
82 | 82 |
int printed_predictor_message; |
83 | 83 |
int printed_embedded_font_message; |
84 | 84 |
struct stat statb; |
... | ... |
@@ -88,7 +88,7 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
88 | 88 |
if(fstat(desc, &statb) < 0) |
89 | 89 |
return CL_EOPEN; |
90 | 90 |
|
91 |
- size = (size_t)statb.st_size; |
|
91 |
+ size = statb.st_size; |
|
92 | 92 |
|
93 | 93 |
if(size == 0) |
94 | 94 |
return CL_CLEAN; |
... | ... |
@@ -216,7 +216,7 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
216 | 216 |
/*int object_number, generation_number;*/ |
217 | 217 |
const char *objstart, *objend, *streamstart, *streamend; |
218 | 218 |
char *md5digest; |
219 |
- size_t length, objlen, real_streamlen, calculated_streamlen; |
|
219 |
+ unsigned long length, objlen, real_streamlen, calculated_streamlen; |
|
220 | 220 |
int is_embedded_font, predictor; |
221 | 221 |
char fullname[NAME_MAX + 1]; |
222 | 222 |
|
... | ... |
@@ -262,7 +262,7 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
262 | 262 |
} |
263 | 263 |
bytesleft -= (objend - p) + 6; |
264 | 264 |
p = &objend[6]; |
265 |
- objlen = (size_t)(objend - objstart); |
|
265 |
+ objlen = (unsigned long)(objend - objstart); |
|
266 | 266 |
|
267 | 267 |
/* Is this object a stream? */ |
268 | 268 |
streamstart = cli_pmemstr(objstart, objlen, "stream", 6); |
... | ... |
@@ -294,11 +294,11 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
294 | 294 |
char b[14]; |
295 | 295 |
|
296 | 296 |
q += 4; |
297 |
- cli_dbgmsg("Length is in indirect obj %d\n", |
|
297 |
+ cli_dbgmsg("Length is in indirect obj %ld\n", |
|
298 | 298 |
length); |
299 | 299 |
snprintf(b, sizeof(b), |
300 |
- "\n%d 0 obj", length); |
|
301 |
- length = strlen(b); |
|
300 |
+ "\n%ld 0 obj", length); |
|
301 |
+ length = (unsigned long)strlen(b); |
|
302 | 302 |
r = cli_pmemstr(alloced ? alloced : buf, |
303 | 303 |
size, b, length); |
304 | 304 |
if(r == NULL) { |
... | ... |
@@ -313,7 +313,7 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
313 | 313 |
length = atoi(r); |
314 | 314 |
while(isdigit(*r)) |
315 | 315 |
r++; |
316 |
- cli_dbgmsg("length in '%s' %d\n", |
|
316 |
+ cli_dbgmsg("length in '%s' %ld\n", |
|
317 | 317 |
&b[1], |
318 | 318 |
length); |
319 | 319 |
} |
... | ... |
@@ -434,7 +434,7 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
434 | 434 |
if(calculated_streamlen != real_streamlen) |
435 | 435 |
cli_dbgmsg("cli_pdf: Incorrect Length field in file attempting to recover\n"); |
436 | 436 |
|
437 |
- cli_dbgmsg("length %d, calculated_streamlen %d isFlate %d isASCII85 %d\n", |
|
437 |
+ cli_dbgmsg("length %ld, calculated_streamlen %ld isFlate %d isASCII85 %d\n", |
|
438 | 438 |
length, calculated_streamlen, |
439 | 439 |
is_flatedecode, is_ascii85decode); |
440 | 440 |
|
... | ... |
@@ -466,10 +466,20 @@ cli_pdf(const char *dir, int desc, const cli_ctx *ctx) |
466 | 466 |
continue; |
467 | 467 |
} |
468 | 468 |
if(ret) { |
469 |
- real_streamlen = (size_t)ret; |
|
469 |
+ char *t; |
|
470 |
+ |
|
471 |
+ real_streamlen = ret; |
|
470 | 472 |
/* free unused trailing bytes */ |
471 |
- tmpbuf = cli_realloc(tmpbuf, |
|
473 |
+ t = cli_realloc(tmpbuf, |
|
472 | 474 |
calculated_streamlen); |
475 |
+ if(t == NULL) { |
|
476 |
+ free(tmpbuf); |
|
477 |
+ close(fout); |
|
478 |
+ unlink(fullname); |
|
479 |
+ rc = CL_EMEM; |
|
480 |
+ continue; |
|
481 |
+ } |
|
482 |
+ tmpbuf = t; |
|
473 | 483 |
/* |
474 | 484 |
* Note that it will probably be both |
475 | 485 |
* ascii85encoded and flateencoded |