@@ -267,7 +267,8 @@ cli_file_t cli_filetype2(fmap_t *map, const struct cl_engine *engine, cli_file_t

             const unsigned char * znamep = buff;

             int32_t zlen = bread;

             int lhc = 0;

-            int zi;

+            int zi, likely_ooxml = 0;

+            cli_file_t ret2;

             for (zi=0; zi<32; zi++) {

                 znamep = (const unsigned char *)cli_memstr((const char *)znamep, zlen, lhdr_magic, 4);

@@ -284,9 +285,34 @@ cli_file_t cli_filetype2(fmap_t *map, const struct cl_engine *engine, cli_file_t

                         } else if (0 == memcmp(znamep, "word/", 5)) {

                             cli_dbgmsg("Recognized OOXML Word file\n");

                             return CL_TYPE_OOXML_WORD;

+                        } else if (0 == memcmp(znamep, "docProps/", 5)) {

+                            likely_ooxml = 1;

+                        }

+

+                        if (++lhc > 2) {

+                            /* only check first three zip headers unless likely ooxml */

+                            if (likely_ooxml) {

+                                cli_dbgmsg("Likely OOXML, checking additional zip headers\n");

+                                if ((ret2 = cli_ooxml_filetype(NULL, map)) != CL_SUCCESS) {

+                                    /* either an error or retyping has occurred, return error or just CL_TYPE_ZIP? */

+                                    switch (ret2) {

+                                    case CL_TYPE_OOXML_XL:

+                                        cli_dbgmsg("Recognized OOXML XL file\n");

+                                        break;

+                                    case CL_TYPE_OOXML_PPT:

+                                        cli_dbgmsg("Recognized OOXML PPT file\n");

+                                        break;

+                                    case CL_TYPE_OOXML_WORD:

+                                        cli_dbgmsg("Recognized OOXML WORD file\n");

+                                        break;

+                                    default:

+                                        cli_dbgmsg("unexpected ooxml_filetype return: %i\n", ret2);

+                                    }

+                                    return ret2;

+                                }

+                            }

+                            break;

                         }

-                        if (++lhc > 2)

-                            break; /* only check first three zip headers */

                     }

                     else {

                         znamep = NULL; /* force to map more */

@@ -482,7 +482,7 @@ static int ooxml_content_cb(int fd, cli_ctx *ctx)

         if (!xmlStrcmp(CT, (const xmlChar *)"application/vnd.openxmlformats-package.core-properties+xml")) {

             if (!core) {

                 /* default: /docProps/core.xml*/

-                tmp = unzip_search(ctx, (const char *)(PN+1), xmlStrlen(PN)-1, &loff);

+                tmp = unzip_search_single(ctx, (const char *)(PN+1), xmlStrlen(PN)-1, &loff);

                 if (tmp == CL_ETIMEOUT) {

                     ret = tmp;

                 }

@@ -500,7 +500,7 @@ static int ooxml_content_cb(int fd, cli_ctx *ctx)

         else if (!xmlStrcmp(CT, (const xmlChar *)"application/vnd.openxmlformats-officedocument.extended-properties+xml")) {

             if (!extn) {

                 /* default: /docProps/app.xml */

-                tmp = unzip_search(ctx, (const char *)(PN+1), xmlStrlen(PN)-1, &loff);

+                tmp = unzip_search_single(ctx, (const char *)(PN+1), xmlStrlen(PN)-1, &loff);

                 if (tmp == CL_ETIMEOUT) {

                     ret = tmp;

                 }

@@ -518,7 +518,7 @@ static int ooxml_content_cb(int fd, cli_ctx *ctx)

         else if (!xmlStrcmp(CT, (const xmlChar *)"application/vnd.openxmlformats-officedocument.custom-properties+xml")) {

             if (!cust) {

                 /* default: /docProps/custom.xml */

-                tmp = unzip_search(ctx, (const char *)(PN+1), xmlStrlen(PN)-1, &loff);

+                tmp = unzip_search_single(ctx, (const char *)(PN+1), xmlStrlen(PN)-1, &loff);

                 if (tmp == CL_ETIMEOUT) {

                     ret = tmp;

                 }

@@ -573,6 +573,39 @@ static int ooxml_content_cb(int fd, cli_ctx *ctx)

 }

 #endif /* HAVE_LIBXML2 && HAVE_JSON */

+int cli_ooxml_filetype(cli_ctx *ctx, fmap_t *map)

+{

+    struct zip_requests requests;

+    int ret;

+

+    memset(&requests, 0, sizeof(struct zip_requests));

+

+    if ((ret = unzip_search_add(&requests, "xl/", 3)) != CL_SUCCESS) {

+        return CL_SUCCESS;

+    }

+    if ((ret = unzip_search_add(&requests, "ppt/", 4)) != CL_SUCCESS) {

+        return CL_SUCCESS;

+    }

+    if ((ret = unzip_search_add(&requests, "word/", 5)) != CL_SUCCESS) {

+        return CL_SUCCESS;

+    }

+

+    if ((ret = unzip_search(ctx, map, &requests)) == CL_VIRUS) {

+        switch (requests.found) {

+        case 0:

+            return CL_TYPE_OOXML_XL;

+        case 1:

+            return CL_TYPE_OOXML_PPT;

+        case 2:

+            return CL_TYPE_OOXML_WORD;

+        default:

+            return CL_SUCCESS;

+        }

+    }

+

+    return CL_SUCCESS;

+}

+

 int cli_process_ooxml(cli_ctx *ctx)

 {

 #if HAVE_LIBXML2 && HAVE_JSON

@@ -585,7 +618,7 @@ int cli_process_ooxml(cli_ctx *ctx)

     }

     /* find "[Content Types].xml" */

-    tmp = unzip_search(ctx, "[Content_Types].xml", 18, &loff);

+    tmp = unzip_search_single(ctx, "[Content_Types].xml", 18, &loff);

     if (tmp == CL_ETIMEOUT) {

         return CL_ETIMEOUT;

     }

@@ -26,6 +26,7 @@

 #endif

 #include "others.h"

+int cli_ooxml_filetype(cli_ctx *, fmap_t *);

 int cli_process_ooxml(cli_ctx *);

 #endif

@@ -53,14 +53,6 @@

 #define UNZIP_PRIVATE

 #include "unzip.h"

-typedef struct zip_request {

-    const char *name;

-    size_t namelen;

-    uint32_t loff;

-

-    int found;

-} zip_request_t;

-

 static int wrap_inflateinit2(void *a, int b) {

   return inflateInit2(a, b);

 }

@@ -427,7 +419,7 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int

   return zip-lh;

 }

-static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, zip_request_t *request) {

+static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, struct zip_requests *requests) {

   char name[256];

   int last = 0;

   const uint8_t *ch;

@@ -447,7 +439,7 @@ static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned in

   }

   name[0]='\0';

-  if((cli_debug_flag && !last) || request) {

+  if((cli_debug_flag && !last) || requests) {

       unsigned int size = (CH_flen>=sizeof(name))?sizeof(name)-1:CH_flen;

       const char *src = fmap_need_off_once(map, coff, size);

       if(src) {

@@ -470,16 +462,26 @@ static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned in

   }

   coff+=CH_clen;

-  if (!request) {

+  if (!requests) {

       if(CH_off<zsize-SIZEOF_LH) {

           lhdr(map, CH_off, zsize-CH_off, fu, fc, ch, ret, ctx, tmpd, 1, zip_scan_cb);

       } else cli_dbgmsg("cli_unzip: ch - local hdr out of file\n");

   }

   else {

-      size_t len = MIN(sizeof(name)-1, request->namelen);

-      if (!last && !strncmp(request->name, name, len)) {

-          request->found = 1;

-          request->loff = CH_off;

+      int i;

+      size_t len;

+

+      if (!last) {

+          for (i = 0; i < requests->namecnt; ++i) {

+              cli_dbgmsg("checking for %i: %s\n", i, requests->names[i]);

+

+              len = MIN(sizeof(name)-1, requests->namelens[i]);      

+              if (!strncmp(requests->names[i], name, len)) {

+                  requests->match = 1;

+                  requests->found = i;

+                  requests->loff = CH_off;

+              }

+          }

       }

   }

@@ -603,27 +605,46 @@ int cli_unzip_single(cli_ctx *ctx, off_t lhoffl) {

     return unzip_single_internal(ctx, lhoffl, zip_scan_cb);

 }

-int unzip_search(cli_ctx *ctx, const char *name, size_t nlen, uint32_t *loff)

+int unzip_search_add(struct zip_requests *requests, const char *name, size_t nlen)

+{

+    cli_dbgmsg("in unzip_search_add\n");

+

+    if (requests->namecnt >= MAX_ZIP_REQUESTS) {

+        cli_dbgmsg("DEBUGGING MESSAGE GOES HERE!\n");

+        return CL_BREAK;

+    }

+

+    cli_dbgmsg("unzip_search_add: adding %s (len %llu)\n", name, (long long unsigned)nlen);

+

+    requests->names[requests->namecnt] = name;

+    requests->namelens[requests->namecnt] = nlen;

+    requests->namecnt++;

+

+    return CL_SUCCESS;

+}

+

+int unzip_search(cli_ctx *ctx, fmap_t *map, struct zip_requests *requests)

 {

     unsigned int fc = 0;

-    fmap_t *map;

+    fmap_t *zmap = map;

     size_t fsize;

     uint32_t coff = 0;

     const char *ptr;

-    zip_request_t request; 

     int ret = CL_CLEAN;

 #if HAVE_JSON

     uint32_t toval = 0;

 #endif

-

     cli_dbgmsg("in unzip_search\n");

-    if (!ctx) {

+

+    if ((!ctx && !map) || !requests) {

         return CL_ENULLARG;

     }

-    map = *ctx->fmap;

-    fsize = map->len;

-    if(sizeof(off_t)!=sizeof(uint32_t) && fsize!=map->len) {

+    /* get priority to given map over *ctx->fmap */

+    if (ctx && !map)

+        zmap = *ctx->fmap;

+    fsize = zmap->len;

+    if(sizeof(off_t)!=sizeof(uint32_t) && fsize!=zmap->len) {

         cli_dbgmsg("unzip_search: file too big\n");

         return CL_CLEAN;

     }

@@ -633,7 +654,7 @@ int unzip_search(cli_ctx *ctx, const char *name, size_t nlen, uint32_t *loff)

     }

     for(coff=fsize-22 ; coff>0 ; coff--) { /* sizeof(EOC)==22 */

-        if(!(ptr = fmap_need_off_once(map, coff, 20)))

+        if(!(ptr = fmap_need_off_once(zmap, coff, 20)))

             continue;

         if(cli_readint32(ptr)==0x06054b50) {

             uint32_t chptr = cli_readint32(&ptr[16]);

@@ -643,25 +664,20 @@ int unzip_search(cli_ctx *ctx, const char *name, size_t nlen, uint32_t *loff)

         }

     }

-    request.name = name;

-    request.namelen = nlen;

-    request.found = 0;

-

     if(coff) {

         cli_dbgmsg("unzip_search: central @%x\n", coff);

-        while(ret==CL_CLEAN && (coff=chdr(map, coff, fsize, NULL, fc+1, &ret, ctx, NULL, &request))) {

-            if (request.found) {

-                *loff = request.loff;

+        while(ret==CL_CLEAN && (coff=chdr(zmap, coff, fsize, NULL, fc+1, &ret, ctx, NULL, requests))) {

+            if (requests->match) {

                 return CL_VIRUS;

             }

             fc++;

-            if (ctx->engine->maxfiles && fc >= ctx->engine->maxfiles) {

+            if (ctx && ctx->engine->maxfiles && fc >= ctx->engine->maxfiles) {

                 cli_dbgmsg("cli_unzip: Files limit reached (max: %u)\n", ctx->engine->maxfiles);

                 ret=CL_EMAXFILES;

             }

 #if HAVE_JSON

-            if (cli_json_timeout_cycle_check(ctx, (int *)(&toval)) != CL_SUCCESS) {

+            if (ctx && cli_json_timeout_cycle_check(ctx, (int *)(&toval)) != CL_SUCCESS) {

                 return CL_ETIMEOUT;

             }

 #endif

@@ -673,3 +689,26 @@ int unzip_search(cli_ctx *ctx, const char *name, size_t nlen, uint32_t *loff)

     return ret;

 }

+int unzip_search_single(cli_ctx *ctx, const char *name, size_t nlen, uint32_t *loff)

+{

+    struct zip_requests requests;

+    int ret;

+

+    cli_dbgmsg("in unzip_search_single\n");

+    if (!ctx) {

+        return CL_ENULLARG;

+    }

+

+    memset(&requests, 0, sizeof(struct zip_requests));

+

+    if ((ret = unzip_search_add(&requests, name, nlen)) != CL_SUCCESS) {

+        return ret;

+    }

+

+    if ((ret = unzip_search(ctx, NULL, &requests)) == CL_VIRUS) {

+        *loff = requests.loff;

+    }

+

+    return ret;

+}

+

@@ -25,15 +25,30 @@

 #include "clamav-config.h"

 #endif

+#include "others.h"

+

 typedef int (*zip_cb)(int fd, cli_ctx *ctx);

 #define zip_scan_cb cli_magic_scandesc

-#include "others.h"

+#define MAX_ZIP_REQUESTS 10

+struct zip_requests {

+    const char *names[MAX_ZIP_REQUESTS];

+    size_t namelens[MAX_ZIP_REQUESTS];

+    int namecnt;

+

+    uint32_t loff;

+    int found, match;

+};

+

 int cli_unzip(cli_ctx *);

 int cli_unzip_single_internal(cli_ctx *, off_t, zip_cb);

-int unzip_single_internal(cli_ctx *ctx, off_t lhoffl, zip_cb zcb);

+int unzip_single_internal(cli_ctx *, off_t, zip_cb);

 int cli_unzip_single(cli_ctx *, off_t);

-int unzip_search(cli_ctx *, const char *, size_t, uint32_t *);

+

+int unzip_search_add(struct zip_requests *, const char *, size_t);

+int unzip_search(cli_ctx *, fmap_t *, struct zip_requests *);

+int unzip_search_single(cli_ctx *, const char *, size_t, uint32_t *);

+

 #ifdef UNZIP_PRIVATE

 #define F_ENCR  (1<<0)