Browse code
Wed Jun 2 10:53:51 BST 2004 (trog) ----------------------------------- * libclamav/vba_extract.c: Fix bug parsing VBA Project file (thanks to Chris Masters for sample) * libclamav/ole2_extract.c: Check length of mmap area before using it.
git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@589 77e5149b-7576-45b1-b177-96237e5ba77b
Trog authored on 2004/06/02 18:55:30Showing 3 changed files
| ... | ... |
@@ -1,3 +1,9 @@ |
| 1 |
+Wed Jun 2 10:53:51 BST 2004 (trog) |
|
| 2 |
+----------------------------------- |
|
| 3 |
+ * libclamav/vba_extract.c: Fix bug parsing VBA Project file |
|
| 4 |
+ (thanks to Chris Masters for sample) |
|
| 5 |
+ * libclamav/ole2_extract.c: Check length of mmap area before using it. |
|
| 6 |
+ |
|
| 1 | 7 |
Wed Jun 2 02:30:34 CEST 2004 (tk) |
| 2 | 8 |
---------------------------------- |
| 3 | 9 |
* libclamav: support MS cabinet files (test/test.cab). Based on libmspack. |
| ... | ... |
@@ -707,6 +707,9 @@ int cli_ole2_extract(int fd, const char *dirname) |
| 707 | 707 |
|
| 708 | 708 |
#ifdef HAVE_MMAP |
| 709 | 709 |
if (fstat(fd, &statbuf) == 0) {
|
| 710 |
+ if (statbuf.st_size < hdr_size) {
|
|
| 711 |
+ return 0; |
|
| 712 |
+ } |
|
| 710 | 713 |
hdr.m_length = statbuf.st_size; |
| 711 | 714 |
hdr.m_area = (unsigned char *) mmap(NULL, hdr.m_length, PROT_READ, MAP_PRIVATE, fd, 0); |
| 712 | 715 |
if (hdr.m_area == MAP_FAILED) {
|
| ... | ... |
@@ -245,7 +245,7 @@ static int vba_read_project_strings(int fd, int is_mac) |
| 245 | 245 |
} |
| 246 | 246 |
free(name); |
| 247 | 247 |
offset = lseek(fd, 0, SEEK_CUR); |
| 248 |
- cli_dbgmsg("offset: %d\n", offset);
|
|
| 248 |
+ cli_dbgmsg("offset: %u\n", offset);
|
|
| 249 | 249 |
vba56_test_middle(fd); |
| 250 | 250 |
} |
| 251 | 251 |
return TRUE; |
| ... | ... |
@@ -259,7 +259,7 @@ vba_project_t *vba56_dir_read(const char *dir) |
| 259 | 259 |
unsigned char vba56_signature[] = { 0xcc, 0x61 };
|
| 260 | 260 |
uint16_t record_count, length; |
| 261 | 261 |
uint16_t ooff; |
| 262 |
- uint8_t byte_count; |
|
| 262 |
+ uint16_t byte_count; |
|
| 263 | 263 |
uint32_t offset; |
| 264 | 264 |
uint32_t LidA; /* Language identifiers */ |
| 265 | 265 |
uint32_t LidB; |
| ... | ... |
@@ -433,6 +433,12 @@ vba_project_t *vba56_dir_read(const char *dir) |
| 433 | 433 |
} |
| 434 | 434 |
record_count = vba_endian_convert_16(record_count, is_mac); |
| 435 | 435 |
cli_dbgmsg("\nVBA Record count: %d\n", record_count);
|
| 436 |
+ if (record_count > 1000) {
|
|
| 437 |
+ /* Almost certainly an error */ |
|
| 438 |
+ cli_dbgmsg("\nVBA Record count too big");
|
|
| 439 |
+ close(fd); |
|
| 440 |
+ return NULL; |
|
| 441 |
+ } |
|
| 436 | 442 |
|
| 437 | 443 |
vba_project = (vba_project_t *) cli_malloc(sizeof(struct vba_project_tag)); |
| 438 | 444 |
if (!vba_project) {
|
| ... | ... |
@@ -502,21 +508,22 @@ vba_project_t *vba56_dir_read(const char *dir) |
| 502 | 502 |
} |
| 503 | 503 |
|
| 504 | 504 |
lseek(fd, 8, SEEK_CUR); |
| 505 |
- if (cli_readn(fd, &byte_count, 1) != 1) {
|
|
| 505 |
+ if (cli_readn(fd, &byte_count, 2) != 2) {
|
|
| 506 | 506 |
free(vba_project->name[i]); |
| 507 | 507 |
goto out_error; |
| 508 | 508 |
} |
| 509 |
+ byte_count = vba_endian_convert_16(byte_count, is_mac); |
|
| 509 | 510 |
for (j=0 ; j<byte_count; j++) {
|
| 510 | 511 |
lseek(fd, 8, SEEK_CUR); |
| 511 | 512 |
} |
| 512 |
- lseek(fd, 6, SEEK_CUR); |
|
| 513 |
+ lseek(fd, 5, SEEK_CUR); |
|
| 513 | 514 |
if (cli_readn(fd, &offset, 4) != 4) {
|
| 514 | 515 |
free(vba_project->name[i]); |
| 515 | 516 |
goto out_error; |
| 516 | 517 |
} |
| 517 | 518 |
offset = vba_endian_convert_32(offset, is_mac); |
| 518 | 519 |
vba_project->offset[i] = offset; |
| 519 |
- cli_dbgmsg("offset:%d\n", offset);
|
|
| 520 |
+ cli_dbgmsg("offset:%u\n", offset);
|
|
| 520 | 521 |
lseek(fd, 2, SEEK_CUR); |
| 521 | 522 |
} |
| 522 | 523 |
|