@@ -1,3 +1,8 @@

+Tue May  8 15:31:51 CEST 2012 (acab)

+------------------------------------

+ * libclamav: detect read races and abort the scan with an error

+	      (bb#4669)

+

 Tue Apr 10 17:04:20 CEST 2012 (tk)

 ----------------------------------

  * libclamav/pe.c: drop old header check (bb#4699)

@@ -706,7 +706,7 @@ int cache_check(unsigned char *hash, cli_ctx *ctx) {

 	void *buf;

 	size_t readme = todo < FILEBUFF ? todo : FILEBUFF;

 	if(!(buf = fmap_need_off_once(map, at, readme)))

-	    return CL_VIRUS;

+	    return CL_EREAD;

 	todo -= readme;

 	at += readme;

 	cli_md5_update(&md5, buf, readme);

@@ -1965,7 +1965,7 @@ static void emax_reached(cli_ctx *ctx) {

 static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)

 {

-	int ret = CL_CLEAN;

+	int ret = CL_CLEAN, res;

 	cli_file_t dettype = 0;

 	struct stat sb;

 	uint8_t typercg = 1;

@@ -2038,10 +2038,11 @@ static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)

 	}

     }

-    if(cache_check(hash, ctx) == CL_CLEAN) {

+    res = cache_check(hash, ctx);

+    if(res != CL_VIRUS) {

 	funmap(*ctx->fmap);

 	ctx->fmap--;

-	ret_from_magicscan(CL_CLEAN);

+	ret_from_magicscan(res);

     }

     hashed_size = (*ctx->fmap)->len;

     old_hook_lsig_matches = ctx->hook_lsig_matches;

@@ -2358,8 +2359,12 @@ static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)

     /* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */

     if(type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb) {

-	if(cli_scanraw(ctx, type, typercg, &dettype, hash) == CL_VIRUS) {

-	    ret =  cli_checkfp(hash, hashed_size, ctx);

+	res = cli_scanraw(ctx, type, typercg, &dettype, hash);

+	if(res != CL_CLEAN) {

+	    if(res == CL_VIRUS)

+		ret =  cli_checkfp(hash, hashed_size, ctx);

+	    else

+		ret = res;

 	    funmap(*ctx->fmap);

 	    ctx->fmap--;

 	    cli_bitset_free(ctx->hook_lsig_matches);