@@ -1,3 +1,8 @@

+Thu Sep 14 09:12:03 BST 2006 (trog)

+-----------------------------------

+  * libclamav/unrar/unrar.c, unrar20.c, unrarppm.c: improve handling of

+		corrupted files.

+

 Thu Sep 14 00:35:56 CEST 2006 (acab)

 ------------------------------------

   * docs: Added preliminary documentation related to Edvin phishing module.

@@ -395,7 +395,10 @@ int unp_read_buf(int fd, unpack_data_t *unpack_data)

 unsigned int rar_get_char(int fd, unpack_data_t *unpack_data)

 {

 	if (unpack_data->in_addr > MAX_BUF_SIZE-30) {

-		unp_read_buf(fd, unpack_data);

+		if (!unp_read_buf(fd, unpack_data)) {

+			cli_errmsg("rar_get_char: unp_read_buf FAILED\n");

+			return -1;

+		}

 	}

 	rar_dbgmsg("rar_get_char = %u\n", unpack_data->in_buf[unpack_data->in_addr]);

 	return(unpack_data->in_buf[unpack_data->in_addr++]);

@@ -1100,7 +1103,7 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 	unsigned char sddecode[]={0,4,8,16,32,64,128,192};

 	unsigned char sdbits[]=  {2,2,3, 4, 5, 6,  6,  6};

 	unsigned int bits, distance;

-	int i, number, length, dist_number, low_dist, ch, next_ch;

+	int retval=TRUE, i, number, length, dist_number, low_dist, ch, next_ch;

 	int length_number, failed;

 	cli_dbgmsg("Offset: %ld\n", lseek(fd, 0, SEEK_CUR));

@@ -1124,6 +1127,7 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 		rar_dbgmsg("UnpPtr = %d\n", unpack_data->unp_ptr);

 		if (unpack_data->in_addr > unpack_data->read_border) {

 			if (!unp_read_buf(fd, unpack_data)) {

+				retval = FALSE;

 				break;

 			}

 		}

@@ -1135,6 +1139,7 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 			ch = ppm_decode_char(&unpack_data->ppm_data, fd, unpack_data);

 			rar_dbgmsg("PPM char: %d\n", ch);

 			if (ch == -1) {

+				retval = FALSE;

 				unpack_data->ppm_error = TRUE;

 				break;

 			}

@@ -1142,8 +1147,14 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 				next_ch = ppm_decode_char(&unpack_data->ppm_data,

 							fd, unpack_data);

 				rar_dbgmsg("PPM next char: %d\n", next_ch);

+				if (next_ch == -1) {

+					retval = FALSE;

+					unpack_data->ppm_error = TRUE;

+					break;

+				}

 				if (next_ch == 0) {

 					if (!read_tables(fd, unpack_data)) {

+						retval = FALSE;

 						break;

 					}

 					continue;

@@ -1153,6 +1164,7 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 				}

 				if (next_ch == 3) {

 					if (!read_vm_code_PPM(unpack_data, fd)) {

+						retval = FALSE;

 						break;

 					}

 					continue;

@@ -1176,6 +1188,7 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 						}

 					}

 					if (failed) {

+						retval = FALSE;

 						break;

 					}

 					copy_string(unpack_data, length+32, distance+2);

@@ -1186,6 +1199,7 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 								fd, unpack_data);

 					rar_dbgmsg("PPM length: %d\n", length);

 					if (length == -1) {

+						retval = FALSE;

 						break;

 					}

 					copy_string(unpack_data, length+4, 1);

@@ -1252,12 +1266,14 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 			}

 			if (number == 256) {

 				if (!read_end_of_block(fd, unpack_data)) {

+					retval = FALSE;

 					break;

 				}

 				continue;

 			}

 			if (number == 257) {

 				if (!read_vm_code(unpack_data, fd)) {

+					retval = FALSE;

 					break;

 				}

 				continue;

@@ -1302,10 +1318,11 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)

 		}

 	}

-	unp_write_buf(unpack_data);

+	if (retval) {

+		unp_write_buf(unpack_data);

+	}

 	cli_dbgmsg("Finished length: %ld\n", unpack_data->written_size);

-	/*cli_writen(unpack_data->ofd, unpack_data->window, unpack_data->unp_ptr);*/

-	return TRUE;

+	return retval;

 }

 static int rar_unpack(int fd, int method, int solid, unpack_data_t *unpack_data)

@@ -1323,7 +1340,7 @@ static int rar_unpack(int fd, int method, int solid, unpack_data_t *unpack_data)

 		retval = rar_unpack29(fd, solid, unpack_data);

 		break;

 	default:

-		printf("ERROR: Unknown pack method: %d\n", method);

+		cli_errmsg("ERROR: Unknown RAR pack method: %d\n", method);

 		break;

 	}

 	return retval;

@@ -1332,7 +1349,7 @@ static int rar_unpack(int fd, int method, int solid, unpack_data_t *unpack_data)

 rar_metadata_t *cli_unrar(int fd, const char *dirname, const struct cl_limits *limits)

 {

 	main_header_t *main_hdr;

-	int ofd;

+	int ofd, retval;

 	unsigned long file_count=1;

 	file_header_t *file_header;

 	unsigned char filename[1024];

@@ -1450,18 +1467,19 @@ rar_metadata_t *cli_unrar(int fd, const char *dirname, const struct cl_limits *l

 			}

 			unpack_data->ofd = ofd;

 			if (file_header->method == 0x30) {

+				cli_dbgmsg("Copying stored file (not packed)\n");

 				copy_file_data(fd, ofd, file_header->pack_size);

 			} else {

 				unpack_data->dest_unp_size = file_header->unpack_size;

 				if (file_header->unpack_ver <= 15) {

-					rar_unpack(fd, 15, (file_count>1) &&

+					retval = rar_unpack(fd, 15, (file_count>1) &&

 						((main_hdr->flags&MHD_SOLID)!=0), unpack_data);

 				} else {

 					if ((file_count == 1) && (file_header->flags & LHD_SOLID)) {

 						cli_warnmsg("RAR: First file can't be SOLID.\n");

 						break;

 					} else {

-						rar_unpack(fd, file_header->unpack_ver,

+						retval = rar_unpack(fd, file_header->unpack_ver,

 							file_header->flags & LHD_SOLID,	unpack_data);

 					}

 				}

@@ -1472,6 +1490,13 @@ rar_metadata_t *cli_unrar(int fd, const char *dirname, const struct cl_limits *l

 						cli_warnmsg("RAR CRC error. Please report the bug at https://bugs.clamav.net/\n");

 					}

 				}

+				if (!retval) {

+					cli_dbgmsg("Corrupt file detected\n");

+					if (file_header->flags & LHD_SOLID) {

+						cli_dbgmsg("SOLID archive, can't continue\n");

+						break;

+					}

+				}

 			}

 			close(ofd);

@@ -285,7 +285,7 @@ int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data)

 	unsigned char sddecode[]={0,4,8,16,32,64,128,192};

 	unsigned char sdbits[]={2,2,3,4,5,6,6,6};

 	unsigned int bits, distance;

-	int audio_number, number, length, dist_number, length_number;

+	int retval=TRUE, audio_number, number, length, dist_number, length_number;

 	rar_dbgmsg("in rar_unpack20\n");

@@ -321,6 +321,7 @@ int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data)

 				(struct Decode *)&unpack_data->MD[unpack_data->unp_cur_channel]);

 			if (audio_number == 256) {

 				if (!read_tables20(fd, unpack_data)) {

+					retval = FALSE;

 					break;

 				}

 				continue;

@@ -366,6 +367,7 @@ int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data)

 		}

 		if (number == 269) {

 			if (!read_tables20(fd, unpack_data)) {

+				retval = FALSE;

 				break;

 			}

 			continue;

@@ -404,7 +406,9 @@ int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data)

 			continue;

 		}

 	}

-	read_last_tables(fd, unpack_data);

-	unp_write_buf_old(unpack_data);

-	return TRUE;

+	if (retval) {

+		read_last_tables(fd, unpack_data);

+		unp_write_buf_old(unpack_data);

+	}

+	return retval;

 }

@@ -162,7 +162,7 @@ static void rar_mem_blk_insertAt(rar_mem_blk_t *a, rar_mem_blk_t *p)

 	p->next = a->next->prev = a;

 }

-static void rar_mem_blk_remove(rar_mem_blk_t *a)

+static int rar_mem_blk_remove(rar_mem_blk_t *a)

 {

 	a->prev->next = a->next;

 	a->next->prev = a->prev;

@@ -390,7 +390,7 @@ static int restart_model_rare(ppm_data_t *ppm_data)

 		(struct ppm_context *) sub_allocator_alloc_context(&ppm_data->sub_alloc);

 	if(!ppm_data->min_context) {

 	    cli_errmsg("unrar: restart_model_rare: sub_allocator_alloc_context failed\n");

-	    return -1;

+	    return FALSE;

 	}

 	ppm_data->min_context->suffix = NULL;

 	ppm_data->order_fall = ppm_data->max_order;

@@ -399,7 +399,7 @@ static int restart_model_rare(ppm_data_t *ppm_data)

 		(struct state_tag *)sub_allocator_alloc_units(&ppm_data->sub_alloc, 256/2);

 	if(!ppm_data->found_state) {

 	    cli_errmsg("unrar: restart_model_rare: sub_allocator_alloc_units failed\n");

-	    return -1;

+	    return FALSE;

 	}

 	for (ppm_data->run_length = ppm_data->init_rl, ppm_data->prev_success=i=0; i < 256 ; i++) {

 		ppm_data->min_context->con_ut.u.stats[i].symbol = i;

@@ -420,7 +420,7 @@ static int restart_model_rare(ppm_data_t *ppm_data)

 		}

 	}

-	return 0;

+	return TRUE;

 }

 static int start_model_rare(ppm_data_t *ppm_data, int max_order)

@@ -430,9 +430,9 @@ static int start_model_rare(ppm_data_t *ppm_data, int max_order)

 	ppm_data->esc_count = 1;

 	ppm_data->max_order = max_order;

-	if((ret = restart_model_rare(ppm_data))) {

+	if (!restart_model_rare(ppm_data)) {

 	    cli_dbgmsg("unrar: start_model_rare: restart_model_rare failed\n");

-	    return ret;

+	    return FALSE;

 	}

 	ppm_data->ns2bsindx[0] = 2*0;

@@ -454,7 +454,7 @@ static int start_model_rare(ppm_data_t *ppm_data, int max_order)

 	memset(ppm_data->hb2flag, 0, 0x40);

 	memset(ppm_data->hb2flag+0x40, 0x08, 0x100-0x40);

 	ppm_data->dummy_sse2cont.shift = PERIOD_BITS;

-	return 0;

+	return TRUE;

 }

@@ -650,7 +650,7 @@ static int update_model(ppm_data_t *ppm_data)

 		if (!ppm_data->min_context) {

 			goto RESTART_MODEL;

 		}

-		return 0;

+		return TRUE;

 	}

 	*ppm_data->sub_alloc.ptext++ = fs.symbol;

 	successor = (struct ppm_context *) ppm_data->sub_alloc.ptext;

@@ -712,15 +712,15 @@ static int update_model(ppm_data_t *ppm_data)

 		pc->num_stats = ++ns1;

 	}

 	ppm_data->max_context = ppm_data->min_context = fs.successor;

-	return 0;

+	return TRUE;

 RESTART_MODEL:

-	if((ret = restart_model_rare(ppm_data))) {

+	if (!restart_model_rare(ppm_data)) {

 	    cli_dbgmsg("unrar: update_model: restart_model_rare: failed\n");

-	    return ret;

+	    return FALSE;

 	}

 	ppm_data->esc_count = 0;

-	return 0;

+	return TRUE;

 }

 static void update1(ppm_data_t *ppm_data, struct state_tag *p, struct ppm_context *context)

@@ -951,7 +951,7 @@ int ppm_decode_init(ppm_data_t *ppm_data, int fd, unpack_data_t *unpack_data, in

 		    sub_allocator_stop_sub_allocator(&ppm_data->sub_alloc);

 		    return FALSE;

 		}

-		if(start_model_rare(ppm_data, max_order) < 0) {

+		if (!start_model_rare(ppm_data, max_order)) {

 		    sub_allocator_stop_sub_allocator(&ppm_data->sub_alloc);

 		    return FALSE;

 		}

@@ -963,7 +963,7 @@ int ppm_decode_init(ppm_data_t *ppm_data, int fd, unpack_data_t *unpack_data, in

 int ppm_decode_char(ppm_data_t *ppm_data, int fd, unpack_data_t *unpack_data)

 {

 	int symbol;

-	

+

 	if ((uint8_t *) ppm_data->min_context <= ppm_data->sub_alloc.ptext ||

 			(uint8_t *)ppm_data->min_context > ppm_data->sub_alloc.heap_end) {

 		return -1;

@@ -999,7 +999,7 @@ int ppm_decode_char(ppm_data_t *ppm_data, int fd, unpack_data_t *unpack_data)

 	if (!ppm_data->order_fall && (uint8_t *) ppm_data->found_state->successor > ppm_data->sub_alloc.ptext) {

 		ppm_data->min_context = ppm_data->max_context = ppm_data->found_state->successor;

 	} else {

-		if(update_model(ppm_data)) {

+		if(!update_model(ppm_data)) {

 		    cli_dbgmsg("unrar: ppm_decode_char: update_model failed\n");

 		    return -1;

 		}