@@ -215,7 +215,6 @@ static int cli_bytecode_context_reset(struct cli_bc_ctx *ctx)

 int cli_bytecode_context_clear(struct cli_bc_ctx *ctx)

 {

-    cli_ctx *cctx = (cli_ctx*)ctx->ctx;

     cli_bytecode_context_reset(ctx);

     memset(ctx, 0, sizeof(*ctx));

     return CL_SUCCESS;

@@ -1736,7 +1735,7 @@ static int calc_gepz(struct cli_bc *bc, struct cli_bc_func *func, uint16_t tid,

 static int cli_bytecode_prepare_interpreter(struct cli_bc *bc)

 {

-    unsigned i, j, k, rc;

+    unsigned i, j, k;

     uint64_t *gmap;

     unsigned bcglobalid = cli_apicall_maxglobal - _FIRST_GLOBAL+2;

     bc->numGlobalBytes = 0;

@@ -2249,7 +2248,7 @@ static int run_builtin_or_loaded(struct cli_all_bc *bcs, uint8_t kind, const cha

 int cli_bytecode_prepare(struct cl_engine *engine, struct cli_all_bc *bcs, unsigned dconfmask)

 {

     unsigned i, interp = 0, jitok = 0, jitcount=0;

-    int rc1, rc2, rc;

+    int rc;

     struct cli_bc_ctx *ctx;

     cli_detect_environment(&bcs->env);

@@ -82,6 +82,7 @@ struct cli_all_bc {

 struct cli_pe_hook_data;

 struct cli_exe_section;

+struct pdf_obj;

 struct cli_bc_ctx *cli_bytecode_context_alloc(void);

 /* FIXME: we can't include others.h because others.h includes us...*/

 void cli_bytecode_context_setctx(struct cli_bc_ctx *ctx, void *cctx);

@@ -90,6 +91,7 @@ int cli_bytecode_context_setparam_int(struct cli_bc_ctx *ctx, unsigned i, uint64

 int cli_bytecode_context_setparam_ptr(struct cli_bc_ctx *ctx, unsigned i, void *data, unsigned datalen);

 int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, fmap_t *map);

 int cli_bytecode_context_setpe(struct cli_bc_ctx *ctx, const struct cli_pe_hook_data *data, const struct cli_exe_section *sections);

+int cli_bytecode_context_setpdf(struct cli_bc_ctx *ctx, unsigned phase, unsigned nobjs, struct pdf_obj *objs, uint32_t *pdf_flags, uint32_t pdfsize, uint32_t pdfstartoff);

 int cli_bytecode_context_clear(struct cli_bc_ctx *ctx);

 /* returns file descriptor, sets tempfile. Caller takes ownership, and is

  * responsible for freeing/unlinking */

@@ -42,6 +42,7 @@

 #include "bytecode_api_impl.h"

 #include "others.h"

 #include "pe.h"

+#include "pdf.h"

 #include "disasm.h"

 #include "scanners.h"

 #include "jsparse/js-norm.h"

@@ -989,7 +990,7 @@ int32_t cli_bcapi_memstr(struct cli_bc_ctx *ctx, const uint8_t* h, int32_t hs,

     const uint8_t *s;

     if (!h || !n || hs < 0 || ns < 0)

 	return -1;

-    s = cli_memstr(h, hs, n, ns);

+    s = (const uint8_t*) cli_memstr((const char*)h, hs, (const char*)n, ns);

     if (!s)

 	return -1;

     return s - h;

@@ -997,12 +998,12 @@ int32_t cli_bcapi_memstr(struct cli_bc_ctx *ctx, const uint8_t* h, int32_t hs,

 int32_t cli_bcapi_hex2ui(struct cli_bc_ctx *ctx, uint32_t ah, uint32_t bh)

 {

-    uint8_t result = 0;

+    char result = 0;

     unsigned char in[2];

     in[0] = ah;

     in[1] = bh;

-    if (cli_hex2str_to(in, &result, 2) == -1)

+    if (cli_hex2str_to((const char*)in, &result, 2) == -1)

 	return -1;

     return result;

 }

@@ -1262,7 +1263,6 @@ uint32_t cli_bcapi_disable_jit_if(struct cli_bc_ctx *ctx , const int8_t* reason,

 int32_t cli_bcapi_version_compare(struct cli_bc_ctx *ctx , const uint8_t* lhs, uint32_t lhs_len, 

 				  const uint8_t* rhs, uint32_t rhs_len)

 {

-    char *endl, *endr;

     unsigned i = 0, j = 0;

     unsigned long li=0, ri=0;

     do {

@@ -1322,3 +1322,121 @@ uint32_t cli_bcapi_check_platform(struct cli_bc_ctx *ctx , uint32_t a, uint32_t

     return ret;

 }

+int cli_bytecode_context_setpdf(struct cli_bc_ctx *ctx, unsigned phase,

+				unsigned nobjs,

+				struct pdf_obj *objs, uint32_t *pdf_flags,

+				uint32_t pdfsize, uint32_t pdfstartoff)

+{

+    ctx->pdf_nobjs = nobjs;

+    ctx->pdf_objs = objs;

+    ctx->pdf_flags = pdf_flags;

+    ctx->pdf_size = pdfsize;

+    ctx->pdf_startoff = pdfstartoff;

+    ctx->pdf_phase = phase;

+    return 0;

+}

+

+int32_t cli_bcapi_pdf_get_obj_num(struct cli_bc_ctx *ctx)

+{

+    if (!ctx->pdf_phase)

+	return -1;

+    return ctx->pdf_nobjs;

+}

+

+int32_t cli_bcapi_pdf_get_flags(struct cli_bc_ctx *ctx)

+{

+    if (!ctx->pdf_phase)

+	return -1;

+    return *ctx->pdf_flags;

+}

+

+int32_t cli_bcapi_pdf_set_flags(struct cli_bc_ctx *ctx , int32_t flags)

+{

+    if (!ctx->pdf_phase)

+	return -1;

+    cli_dbgmsg("cli_pdf: bytecode set_flags %08x -> %08x\n",

+	       *ctx->pdf_flags,

+	       flags);

+    *ctx->pdf_flags = flags;

+    return 0;

+}

+

+int32_t cli_bcapi_pdf_lookupobj(struct cli_bc_ctx *ctx , uint32_t objid)

+{

+    unsigned i;

+    if (!ctx->pdf_phase)

+	return -1;

+    for (i=0;i<ctx->pdf_nobjs;i++) {

+	if (ctx->pdf_objs[i].id == objid)

+	    return i;

+    }

+    return -1;

+}

+

+uint32_t cli_bcapi_pdf_getobjsize(struct cli_bc_ctx *ctx , int32_t objidx)

+{

+    if (!ctx->pdf_phase ||

+	objidx >= ctx->pdf_nobjs ||

+	ctx->pdf_phase == PDF_PHASE_POSTDUMP /* map is obj itself, no access to pdf anymore */

+       )

+	return 0;

+    if (objidx + 1 == ctx->pdf_nobjs)

+	return ctx->pdf_size - ctx->pdf_objs[objidx].start;

+    return ctx->pdf_objs[objidx+1].start - ctx->pdf_objs[objidx].start - 4;

+}

+

+uint8_t* cli_bcapi_pdf_getobj(struct cli_bc_ctx *ctx , int32_t objidx, uint32_t amount)

+{

+    uint32_t size = cli_bcapi_pdf_getobjsize(ctx, objidx);

+    if (amount > size)

+	return NULL;

+    return fmap_need_off(ctx->fmap, ctx->pdf_objs[objidx].start, amount);

+}

+

+int32_t cli_bcapi_pdf_getobjid(struct cli_bc_ctx *ctx , int32_t objidx)

+{

+    if (!ctx->pdf_phase ||

+	objidx >= ctx->pdf_nobjs)

+	return -1;

+    return ctx->pdf_objs[objidx].id;

+}

+

+int32_t cli_bcapi_pdf_getobjflags(struct cli_bc_ctx *ctx , int32_t objidx)

+{

+    if (!ctx->pdf_phase ||

+	objidx >= ctx->pdf_nobjs)

+	return -1;

+    return ctx->pdf_objs[objidx].flags;

+}

+

+int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t objidx, int32_t flags)

+{

+    if (!ctx->pdf_phase ||

+	objidx >= ctx->pdf_nobjs)

+	return -1;

+    cli_dbgmsg("cli_pdf: bytecode setobjflags %08x -> %08x\n",

+	       ctx->pdf_objs[objidx].flags,

+	       flags);

+    ctx->pdf_objs[objidx].flags = flags;

+    return 0;

+}

+

+int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t objidx)

+{

+    if (!ctx->pdf_phase ||

+	objidx >= ctx->pdf_nobjs)

+	return -1;

+    return ctx->pdf_startoff + ctx->pdf_objs[objidx].start;

+}

+

+int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx)

+{

+    return ctx->pdf_phase;

+}

+

+int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx)

+{

+    if (ctx->pdf_phase != PDF_PHASE_POSTDUMP)

+	return -1;

+    return ctx->pdf_dumpedid;

+}

@@ -51,6 +51,8 @@ enum BytecodeKind {

     BC_LOGICAL=256,

     /** a PE unpacker */

     BC_PE_UNPACKER,

+    /* PDF hook */

+    BC_PDF,

     _BC_LAST_HOOK

 };

@@ -59,7 +61,63 @@ static const unsigned  PE_INVALID_RVA = 0xFFFFFFFF ;

 /** LibClamAV functionality level constants */

 enum FunctionalityLevels {

     FUNC_LEVEL_096 = 51,

-    FUNC_LEVEL_096_dev

+    FUNC_LEVEL_096_dev,

+    FUNC_LEVEL_096_1,

+    FUNC_LEVEL_096_1_dev,

+    FUNC_LEVEL_096_2

+};

+

+enum pdf_phase {

+    PDF_PHASE_NONE /* not a PDF */,

+    PDF_PHASE_PARSED, /* after parsing a PDF, object flags can be set etc. */

+    PDF_PHASE_POSTDUMP, /* after an obj was dumped and scanned */

+    PDF_PHASE_END /* after the pdf scan finished */

+};

+

+enum pdf_flag {

+    BAD_PDF_VERSION=0,

+    BAD_PDF_HEADERPOS,

+    BAD_PDF_TRAILER,

+    BAD_PDF_TOOMANYOBJS,

+    BAD_STREAM_FILTERS,

+    BAD_FLATE,

+    BAD_FLATESTART,

+    BAD_STREAMSTART,

+    BAD_ASCIIDECODE,

+    BAD_INDOBJ,

+    UNTERMINATED_OBJ_DICT,

+    ESCAPED_COMMON_PDFNAME,

+    HEX_JAVASCRIPT,

+    UNKNOWN_FILTER,

+    MANY_FILTERS,

+    HAS_OPENACTION,

+    BAD_STREAMLEN,

+    ENCRYPTED_PDF,

+    LINEARIZED_PDF /* not bad, just as flag */

+};

+

+enum pdf_objflags {

+    OBJ_STREAM=0,

+    OBJ_DICT,

+    OBJ_EMBEDDED_FILE,

+    OBJ_FILTER_AH,

+    OBJ_FILTER_A85,

+    OBJ_FILTER_FLATE,

+    OBJ_FILTER_LZW,

+    OBJ_FILTER_RL,

+    OBJ_FILTER_FAX,

+    OBJ_FILTER_JBIG2,

+    OBJ_FILTER_DCT,

+    OBJ_FILTER_JPX,

+    OBJ_FILTER_CRYPT,

+    OBJ_FILTER_UNKNOWN,

+    OBJ_JAVASCRIPT,

+    OBJ_OPENACTION,

+    OBJ_HASFILTERS,

+    OBJ_SIGNED,

+    OBJ_IMAGE,

+    OBJ_TRUNCATED,

+    OBJ_FORCEDUMP

 };

 #ifdef __CLAMBC__

@@ -697,7 +755,80 @@ int32_t version_compare(const uint8_t* lhs, uint32_t lhs_len,

             1 - match */

 uint32_t check_platform(uint32_t a, uint32_t b, uint32_t c);

+/** Return number of pdf objects 

+ * @return -1 - if not called from PDF hook

+          >=0 - number of PDF objects

+*/

+int32_t pdf_get_obj_num(void);

+

+/** Return the flags for the entire PDF (as set so far).

+  * @return -1 - if not called from PDF hook

+           >=0 - pdf flags */

+int32_t pdf_get_flags(void);

+

+/** Sets the flags for the entire PDF.

+  * It is recommended that you retrieve old flags, and just add new ones.

+  * @param flags - flags to set */

+int32_t pdf_set_flags(int32_t flags);

+

+/** Lookup pdf object with specified id.

+  * @param id - pdf id (objnumber << 8 | generationid)

+    @return -1 - if object id doesn't exist

+           >=0 - object index

+  */

+int32_t pdf_lookupobj(uint32_t id);

+

+/** Return the size of the specified PDF obj.

+  * @param objnum - object index (from 0), not object id!

+  * @return 0 - if not called from PDF hook, or invalid objnum

+          >=0 - size of object */

+uint32_t pdf_getobjsize(int32_t objidx);

+

+/** Return the undecoded object.

+  Meant only for reading, write modifies the fmap buffer, so avoid!

+  @param objidx - object index (from 0), not object id!

+  @param amount - size returned by pdf_getobjsize (or smaller)

+  @return NULL - invalid objidx/amount

+          pointer - pointer to original object */

+uint8_t *pdf_getobj(int32_t objidx, uint32_t amount);

+

+/* Return the object id for the specified object index.

+   @param objidx - object index (from 0)

+   @return -1 - object index invalid

+          >=0 - object id (obj id << 8 | generation id)

+*/

+int32_t pdf_getobjid(int32_t objidx);

+

+/* Return the object flags for the specified object index.

+   @param objidx - object index (from 0)

+   @return -1 - object index invalid

+          >=0 - object flags

+*/

+int32_t pdf_getobjflags(int32_t objidx);

+

+/* Sets the object flags for the specified object index.

+   This can be used to force dumping of a certain obj, by setting the

+   OBJ_FORCEDUMP flag for example.

+   @param objidx - object index (from 0)

+   @return -1 - object index invalid

+          >=0 - flags set

+*/

+int32_t pdf_setobjflags(int32_t objidx, int32_t flags);

+

+/* Return the object's offset in the PDF.

+   @param objidx - object index (from 0)

+   @return -1 - object index invalid

+          >=0 - offset

+*/

+int32_t pdf_get_offset(int32_t objidx);

+

+/** Return an 'enum pdf_phase'.

+  * Identifies at which phase this bytecode was called */

+int32_t pdf_get_phase(void);

+/** Return the currently dumped obj id.

+  Valid only in PDF_PHASE_POSTDUMP */

+int32_t pdf_get_dumpedobjid(void);

 /* ---------------- END 0.96.2 APIs   ----------------------------------- */

 #endif

 #endif

@@ -109,6 +109,18 @@ uint32_t cli_bcapi_disable_bytecode_if(struct cli_bc_ctx *ctx , const int8_t*, u

 uint32_t cli_bcapi_disable_jit_if(struct cli_bc_ctx *ctx , const int8_t*, uint32_t, uint32_t);

 int32_t cli_bcapi_version_compare(struct cli_bc_ctx *ctx , const uint8_t*, uint32_t, const uint8_t*, uint32_t);

 uint32_t cli_bcapi_check_platform(struct cli_bc_ctx *ctx , uint32_t, uint32_t, uint32_t);

+int32_t cli_bcapi_pdf_get_obj_num(struct cli_bc_ctx *ctx );

+int32_t cli_bcapi_pdf_get_flags(struct cli_bc_ctx *ctx );

+int32_t cli_bcapi_pdf_set_flags(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_lookupobj(struct cli_bc_ctx *ctx , uint32_t);

+uint32_t cli_bcapi_pdf_getobjsize(struct cli_bc_ctx *ctx , int32_t);

+uint8_t* cli_bcapi_pdf_getobj(struct cli_bc_ctx *ctx , int32_t, uint32_t);

+int32_t cli_bcapi_pdf_getobjid(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_getobjflags(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t, int32_t);

+int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx );

+int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx );

 const struct cli_apiglobal cli_globals[] = {

 /* Bytecode globals BEGIN */

@@ -133,17 +145,17 @@ static uint16_t cli_tmp4[]={16, 8, 8, 32, 32, 32, 32, 32, 32, 32, 32, 32, 16, 16

 static uint16_t cli_tmp5[]={32, 16, 16, 32, 32, 32, 16, 16};

 static uint16_t cli_tmp6[]={32};

 static uint16_t cli_tmp7[]={32};

-static uint16_t cli_tmp8[]={32, 32, 32, 32};

-static uint16_t cli_tmp9[]={32, 65, 32, 65, 32};

-static uint16_t cli_tmp10[]={32, 65, 32, 32};

-static uint16_t cli_tmp11[]={32, 81, 32};

-static uint16_t cli_tmp12[]={82};

-static uint16_t cli_tmp13[]={32, 32, 32, 32, 32, 32, 32, 83, 83, 83, 83, 83, 83, 83, 8, 8, 8, 8, 8, 8, 8, 8, 8};

-static uint16_t cli_tmp14[]={8};

-static uint16_t cli_tmp15[]={32, 32};

-static uint16_t cli_tmp16[]={32};

-static uint16_t cli_tmp17[]={65, 32, 32};

-static uint16_t cli_tmp18[]={32, 32, 32};

+static uint16_t cli_tmp8[]={32};

+static uint16_t cli_tmp9[]={32, 32};

+static uint16_t cli_tmp10[]={32, 32, 32};

+static uint16_t cli_tmp11[]={65, 32, 32};

+static uint16_t cli_tmp12[]={32, 32, 32, 32};

+static uint16_t cli_tmp13[]={32, 65, 32, 65, 32};

+static uint16_t cli_tmp14[]={32, 65, 32, 32};

+static uint16_t cli_tmp15[]={32, 85, 32};

+static uint16_t cli_tmp16[]={86};

+static uint16_t cli_tmp17[]={32, 32, 32, 32, 32, 32, 32, 87, 87, 87, 87, 87, 87, 87, 8, 8, 8, 8, 8, 8, 8, 8, 8};

+static uint16_t cli_tmp18[]={8};

 static uint16_t cli_tmp19[]={32, 65, 32};

 static uint16_t cli_tmp20[]={32, 65, 32, 32, 32, 32};

 static uint16_t cli_tmp21[]={32, 91, 32};

@@ -166,17 +178,17 @@ const struct cli_bc_type cli_apicall_types[]={

 	{DStructType, cli_tmp5, 8, 0, 0},

 	{DArrayType, cli_tmp6, 1, 0, 0},

 	{DArrayType, cli_tmp7, 64, 0, 0},

-	{DFunctionType, cli_tmp8, 4, 0, 0},

-	{DFunctionType, cli_tmp9, 5, 0, 0},

-	{DFunctionType, cli_tmp10, 4, 0, 0},

+	{DFunctionType, cli_tmp8, 1, 0, 0},

+	{DFunctionType, cli_tmp9, 2, 0, 0},

+	{DFunctionType, cli_tmp10, 3, 0, 0},

 	{DFunctionType, cli_tmp11, 3, 0, 0},

-	{DPointerType, cli_tmp12, 1, 0, 0},

-	{DStructType, cli_tmp13, 23, 0, 0},

-	{DArrayType, cli_tmp14, 65, 0, 0},

-	{DFunctionType, cli_tmp15, 2, 0, 0},

-	{DFunctionType, cli_tmp16, 1, 0, 0},

-	{DFunctionType, cli_tmp17, 3, 0, 0},

-	{DFunctionType, cli_tmp18, 3, 0, 0},

+	{DFunctionType, cli_tmp12, 4, 0, 0},

+	{DFunctionType, cli_tmp13, 5, 0, 0},

+	{DFunctionType, cli_tmp14, 4, 0, 0},

+	{DFunctionType, cli_tmp15, 3, 0, 0},

+	{DPointerType, cli_tmp16, 1, 0, 0},

+	{DStructType, cli_tmp17, 23, 0, 0},

+	{DArrayType, cli_tmp18, 65, 0, 0},

 	{DFunctionType, cli_tmp19, 3, 0, 0},

 	{DFunctionType, cli_tmp20, 6, 0, 0},

 	{DFunctionType, cli_tmp21, 3, 0, 0},

@@ -194,13 +206,13 @@ const struct cli_bc_type cli_apicall_types[]={

 const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]);

 const struct cli_apicall cli_apicalls[]={

 /* Bytecode APIcalls BEGIN */

-	{"test1", 18, 0, 0},

+	{"test1", 10, 0, 0},

 	{"read", 19, 0, 1},

 	{"write", 19, 1, 1},

-	{"seek", 18, 1, 0},

+	{"seek", 10, 1, 0},

 	{"setvirusname", 19, 2, 1},

 	{"debug_print_str", 19, 3, 1},

-	{"debug_print_uint", 15, 0, 2},

+	{"debug_print_uint", 9, 0, 2},

 	{"disasm_x86", 25, 4, 1},

 	{"trace_directory", 19, 5, 1},

 	{"trace_scope", 19, 6, 1},

@@ -208,68 +220,80 @@ const struct cli_apicall cli_apicalls[]={

 	{"trace_op", 19, 8, 1},

 	{"trace_value", 19, 9, 1},

 	{"trace_ptr", 19, 10, 1},

-	{"pe_rawaddr", 15, 1, 2},

+	{"pe_rawaddr", 9, 1, 2},

 	{"file_find", 19, 11, 1},

-	{"file_byteat", 15, 2, 2},

+	{"file_byteat", 9, 2, 2},

 	{"malloc", 24, 0, 3},

-	{"test2", 15, 3, 2},

+	{"test2", 9, 3, 2},

 	{"get_pe_section", 21, 12, 1},

 	{"fill_buffer", 20, 0, 4},

-	{"extract_new", 15, 4, 2},

-	{"read_number", 15, 5, 2},

-	{"hashset_new", 16, 0, 5},

-	{"hashset_add", 18, 2, 0},

-	{"hashset_remove", 18, 3, 0},

-	{"hashset_contains", 18, 4, 0},

-	{"hashset_done", 15, 6, 2},

-	{"hashset_empty", 15, 7, 2},

-	{"buffer_pipe_new", 15, 8, 2},

-	{"buffer_pipe_new_fromfile", 15, 9, 2},

-	{"buffer_pipe_read_avail", 15, 10, 2},

-	{"buffer_pipe_read_get", 17, 0, 6},

-	{"buffer_pipe_read_stopped", 18, 5, 0},

-	{"buffer_pipe_write_avail", 15, 11, 2},

-	{"buffer_pipe_write_get", 17, 1, 6},

-	{"buffer_pipe_write_stopped", 18, 6, 0},

-	{"buffer_pipe_done", 15, 12, 2},

-	{"inflate_init", 8, 0, 7},

-	{"inflate_process", 15, 13, 2},

-	{"inflate_done", 15, 14, 2},

-	{"bytecode_rt_error", 15, 15, 2},

-	{"jsnorm_init", 15, 16, 2},

-	{"jsnorm_process", 15, 17, 2},

-	{"jsnorm_done", 15, 18, 2},

-	{"ilog2", 18, 7, 0},

-	{"ipow", 8, 1, 7},

-	{"iexp", 8, 2, 7},

-	{"isin", 8, 3, 7},

-	{"icos", 8, 4, 7},

-	{"memstr", 9, 0, 8},

-	{"hex2ui", 18, 8, 0},

+	{"extract_new", 9, 4, 2},

+	{"read_number", 9, 5, 2},

+	{"hashset_new", 8, 0, 5},

+	{"hashset_add", 10, 2, 0},

+	{"hashset_remove", 10, 3, 0},

+	{"hashset_contains", 10, 4, 0},

+	{"hashset_done", 9, 6, 2},

+	{"hashset_empty", 9, 7, 2},

+	{"buffer_pipe_new", 9, 8, 2},

+	{"buffer_pipe_new_fromfile", 9, 9, 2},

+	{"buffer_pipe_read_avail", 9, 10, 2},

+	{"buffer_pipe_read_get", 11, 0, 6},

+	{"buffer_pipe_read_stopped", 10, 5, 0},

+	{"buffer_pipe_write_avail", 9, 11, 2},

+	{"buffer_pipe_write_get", 11, 1, 6},

+	{"buffer_pipe_write_stopped", 10, 6, 0},

+	{"buffer_pipe_done", 9, 12, 2},

+	{"inflate_init", 12, 0, 7},

+	{"inflate_process", 9, 13, 2},

+	{"inflate_done", 9, 14, 2},

+	{"bytecode_rt_error", 9, 15, 2},

+	{"jsnorm_init", 9, 16, 2},

+	{"jsnorm_process", 9, 17, 2},

+	{"jsnorm_done", 9, 18, 2},

+	{"ilog2", 10, 7, 0},

+	{"ipow", 12, 1, 7},

+	{"iexp", 12, 2, 7},

+	{"isin", 12, 3, 7},

+	{"icos", 12, 4, 7},

+	{"memstr", 13, 0, 8},

+	{"hex2ui", 10, 8, 0},

 	{"atoi", 19, 13, 1},

 	{"debug_print_str_start", 19, 14, 1},

 	{"debug_print_str_nonl", 19, 15, 1},

 	{"entropy_buffer", 19, 16, 1},

-	{"map_new", 18, 9, 0},

-	{"map_addkey", 10, 0, 9},

-	{"map_setvalue", 10, 1, 9},

-	{"map_remove", 10, 2, 9},

-	{"map_find", 10, 3, 9},

-	{"map_getvaluesize", 15, 19, 2},

-	{"map_getvalue", 17, 2, 6},

-	{"map_done", 15, 20, 2},

-	{"file_find_limit", 10, 4, 9},

-	{"engine_functionality_level", 16, 1, 5},

-	{"engine_dconf_level", 16, 2, 5},

-	{"engine_scan_options", 16, 3, 5},

-	{"engine_db_options", 16, 4, 5},

-	{"extract_set_container", 15, 21, 2},

-	{"input_switch", 15, 22, 2},

-	{"get_environment", 11, 17, 1},

-	{"disable_bytecode_if", 10, 5, 9},

-	{"disable_jit_if", 10, 6, 9},

-	{"version_compare", 9, 1, 8},

-	{"check_platform", 8, 5, 7}

+	{"map_new", 10, 9, 0},

+	{"map_addkey", 14, 0, 9},

+	{"map_setvalue", 14, 1, 9},

+	{"map_remove", 14, 2, 9},

+	{"map_find", 14, 3, 9},

+	{"map_getvaluesize", 9, 19, 2},

+	{"map_getvalue", 11, 2, 6},

+	{"map_done", 9, 20, 2},

+	{"file_find_limit", 14, 4, 9},

+	{"engine_functionality_level", 8, 1, 5},

+	{"engine_dconf_level", 8, 2, 5},

+	{"engine_scan_options", 8, 3, 5},

+	{"engine_db_options", 8, 4, 5},

+	{"extract_set_container", 9, 21, 2},

+	{"input_switch", 9, 22, 2},

+	{"get_environment", 15, 17, 1},

+	{"disable_bytecode_if", 14, 5, 9},

+	{"disable_jit_if", 14, 6, 9},

+	{"version_compare", 13, 1, 8},

+	{"check_platform", 12, 5, 7},

+	{"pdf_get_obj_num", 8, 5, 5},

+	{"pdf_get_flags", 8, 6, 5},

+	{"pdf_set_flags", 9, 23, 2},

+	{"pdf_lookupobj", 9, 24, 2},

+	{"pdf_getobjsize", 9, 25, 2},

+	{"pdf_getobj", 11, 3, 6},

+	{"pdf_getobjid", 9, 26, 2},

+	{"pdf_getobjflags", 9, 27, 2},

+	{"pdf_setobjflags", 10, 10, 0},

+	{"pdf_get_offset", 9, 28, 2},

+	{"pdf_get_phase", 8, 7, 5},

+	{"pdf_get_dumpedobjid", 8, 8, 5}

 /* Bytecode APIcalls END */

 };

 const cli_apicall_int2 cli_apicalls0[] = {

@@ -282,7 +306,8 @@ const cli_apicall_int2 cli_apicalls0[] = {

 	(cli_apicall_int2)cli_bcapi_buffer_pipe_write_stopped,

 	(cli_apicall_int2)cli_bcapi_ilog2,

 	(cli_apicall_int2)cli_bcapi_hex2ui,

-	(cli_apicall_int2)cli_bcapi_map_new

+	(cli_apicall_int2)cli_bcapi_map_new,

+	(cli_apicall_int2)cli_bcapi_pdf_setobjflags

 };

 const cli_apicall_pointer cli_apicalls1[] = {

 	(cli_apicall_pointer)cli_bcapi_read,

@@ -327,7 +352,13 @@ const cli_apicall_int1 cli_apicalls2[] = {

 	(cli_apicall_int1)cli_bcapi_map_getvaluesize,

 	(cli_apicall_int1)cli_bcapi_map_done,

 	(cli_apicall_int1)cli_bcapi_extract_set_container,

-	(cli_apicall_int1)cli_bcapi_input_switch

+	(cli_apicall_int1)cli_bcapi_input_switch,

+	(cli_apicall_int1)cli_bcapi_pdf_set_flags,

+	(cli_apicall_int1)cli_bcapi_pdf_lookupobj,

+	(cli_apicall_int1)cli_bcapi_pdf_getobjsize,

+	(cli_apicall_int1)cli_bcapi_pdf_getobjid,

+	(cli_apicall_int1)cli_bcapi_pdf_getobjflags,

+	(cli_apicall_int1)cli_bcapi_pdf_get_offset

 };

 const cli_apicall_malloclike cli_apicalls3[] = {

 	(cli_apicall_malloclike)cli_bcapi_malloc

@@ -340,12 +371,17 @@ const cli_apicall_allocobj cli_apicalls5[] = {

 	(cli_apicall_allocobj)cli_bcapi_engine_functionality_level,

 	(cli_apicall_allocobj)cli_bcapi_engine_dconf_level,

 	(cli_apicall_allocobj)cli_bcapi_engine_scan_options,

-	(cli_apicall_allocobj)cli_bcapi_engine_db_options

+	(cli_apicall_allocobj)cli_bcapi_engine_db_options,

+	(cli_apicall_allocobj)cli_bcapi_pdf_get_obj_num,

+	(cli_apicall_allocobj)cli_bcapi_pdf_get_flags,

+	(cli_apicall_allocobj)cli_bcapi_pdf_get_phase,

+	(cli_apicall_allocobj)cli_bcapi_pdf_get_dumpedobjid

 };

 const cli_apicall_bufget cli_apicalls6[] = {

 	(cli_apicall_bufget)cli_bcapi_buffer_pipe_read_get,

 	(cli_apicall_bufget)cli_bcapi_buffer_pipe_write_get,

-	(cli_apicall_bufget)cli_bcapi_map_getvalue

+	(cli_apicall_bufget)cli_bcapi_map_getvalue,

+	(cli_apicall_bufget)cli_bcapi_pdf_getobj

 };

 const cli_apicall_int3 cli_apicalls7[] = {

 	(cli_apicall_int3)cli_bcapi_inflate_init,

@@ -107,5 +107,17 @@ uint32_t cli_bcapi_disable_bytecode_if(struct cli_bc_ctx *ctx , const int8_t*, u

 uint32_t cli_bcapi_disable_jit_if(struct cli_bc_ctx *ctx , const int8_t*, uint32_t, uint32_t);

 int32_t cli_bcapi_version_compare(struct cli_bc_ctx *ctx , const uint8_t*, uint32_t, const uint8_t*, uint32_t);

 uint32_t cli_bcapi_check_platform(struct cli_bc_ctx *ctx , uint32_t, uint32_t, uint32_t);

+int32_t cli_bcapi_pdf_get_obj_num(struct cli_bc_ctx *ctx );

+int32_t cli_bcapi_pdf_get_flags(struct cli_bc_ctx *ctx );

+int32_t cli_bcapi_pdf_set_flags(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_lookupobj(struct cli_bc_ctx *ctx , uint32_t);

+uint32_t cli_bcapi_pdf_getobjsize(struct cli_bc_ctx *ctx , int32_t);

+uint8_t* cli_bcapi_pdf_getobj(struct cli_bc_ctx *ctx , int32_t, uint32_t);

+int32_t cli_bcapi_pdf_getobjid(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_getobjflags(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t, int32_t);

+int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t);

+int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx );

+int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx );

 #endif

@@ -156,6 +156,13 @@ struct cli_bc_ctx {

     fmap_t *save_map;

     const char *virname;

     struct cli_bc_hooks hooks;

+    uint32_t pdf_nobjs;

+    struct pdf_obj *pdf_objs;

+    uint32_t* pdf_flags;

+    uint32_t pdf_size;

+    uint32_t pdf_startoff;

+    unsigned pdf_phase;

+    int32_t pdf_dumpedid;

     const struct cli_exe_section *sections;

     char *tempfile;

     void *ctx;

@@ -50,6 +50,8 @@ static	char	const	rcsid[] = "$Id: pdf.c,v 1.61 2007/02/12 20:46:09 njh Exp $";

 #include "scanners.h"

 #include "fmap.h"

 #include "str.h"

+#include "bytecode.h"

+#include "bytecode_api.h"

 #ifdef	CL_DEBUG

 /*#define	SAVE_TMP	

@@ -62,28 +64,6 @@ static	const	char	*pdf_nextlinestart(const char *ptr, size_t len);

 static	const	char	*pdf_nextobject(const char *ptr, size_t len);

 #if 1

-enum pdf_flag {

-    BAD_PDF_VERSION=0,

-    BAD_PDF_HEADERPOS,

-    BAD_PDF_TRAILER,

-    BAD_PDF_TOOMANYOBJS,

-    BAD_STREAM_FILTERS,

-    BAD_FLATE,

-    BAD_FLATESTART,

-    BAD_STREAMSTART,

-    BAD_ASCIIDECODE,

-    BAD_INDOBJ,

-    UNTERMINATED_OBJ_DICT,

-    ESCAPED_COMMON_PDFNAME,

-    HEX_JAVASCRIPT,

-    UNKNOWN_FILTER,

-    MANY_FILTERS,

-    HAS_OPENACTION,

-    BAD_STREAMLEN,

-    ENCRYPTED_PDF,

-    LINEARIZED_PDF /* not bad, just as flag */

-};

-

 static int xrefCheck(const char *xref, const char *eof)

 {

     const char *q;

@@ -105,34 +85,6 @@ static int xrefCheck(const char *xref, const char *eof)

     return -1;

 }

-enum objflags {

-    OBJ_STREAM=0,

-    OBJ_DICT,

-    OBJ_EMBEDDED_FILE,

-    OBJ_FILTER_AH,

-    OBJ_FILTER_A85,

-    OBJ_FILTER_FLATE,

-    OBJ_FILTER_LZW,

-    OBJ_FILTER_RL,

-    OBJ_FILTER_FAX,

-    OBJ_FILTER_JBIG2,

-    OBJ_FILTER_DCT,

-    OBJ_FILTER_JPX,

-    OBJ_FILTER_CRYPT,

-    OBJ_FILTER_UNKNOWN,

-    OBJ_JAVASCRIPT,

-    OBJ_OPENACTION,

-    OBJ_HASFILTERS,

-    OBJ_SIGNED,

-    OBJ_IMAGE,

-    OBJ_TRUNCATED

-};

-

-struct pdf_obj {

-    uint32_t start;

-    uint32_t id;

-    uint32_t flags;

-};

 struct pdf_struct {

     struct pdf_obj *objs;

     unsigned nobjs;

@@ -140,6 +92,7 @@ struct pdf_struct {

     const char *map;

     off_t size;

     off_t offset;

+    off_t startoff;

     cli_ctx *ctx;

     const char *dir;

     unsigned files;

@@ -502,6 +455,40 @@ static int obj_size(struct pdf_struct *pdf, struct pdf_obj *obj, int binary)

     return pdf->offset - obj->start - 6;

 }

+static int run_pdf_hooks(struct pdf_struct *pdf, enum pdf_phase phase, int fd,

+			 int dumpid)

+{

+    int ret;

+    struct cli_bc_ctx *bc_ctx;

+    cli_ctx *ctx = pdf->ctx;

+    fmap_t *map;

+

+    bc_ctx = cli_bytecode_context_alloc();

+    if (!bc_ctx) {

+	cli_errmsg("cli_pdf: can't allocate memory for bc_ctx");

+	return CL_EMEM;

+    }

+

+    map = *ctx->fmap;

+    if (fd != -1) {

+	map = fmap(fd, 0, 0);

+	if (!map) {

+	    cli_warnmsg("can't mmap pdf extracted obj\n");

+	    map = *ctx->fmap;

+	    fd = -1;

+	}

+    }

+    cli_bytecode_context_setpdf(bc_ctx, phase, pdf->nobjs, pdf->objs,

+				&pdf->flags, pdf->size, pdf->startoff);

+    cli_bytecode_context_setctx(bc_ctx, ctx);

+    ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PDF, map, ctx->virname);

+    cli_bytecode_context_destroy(bc_ctx);

+    if (fd != -1) {

+	funmap(map);

+    }

+    return ret;

+}

+

 static int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj)

 {

     char fullname[NAME_MAX + 1];

@@ -509,20 +496,28 @@ static int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj)

     off_t sum = 0;

     int rc = CL_SUCCESS;

     char *ascii_decoded = NULL;

+    int dump = 1;

     /* TODO: call bytecode hook here, allow override dumpability */

     if ((!(obj->flags & (1 << OBJ_STREAM)) ||

 	(obj->flags & (1 << OBJ_HASFILTERS)))

 	&& !(obj->flags & DUMP_MASK)) {

 	/* don't dump all streams */

-	return CL_CLEAN;

+	dump = 0;

     }

 #if 1

     if (obj->flags & (1 << OBJ_IMAGE)) {

 	/* don't dump / scan images */

-	return CL_CLEAN;

+	dump = 0;

     }

 #endif

+    if (obj->flags & (1 << OBJ_FORCEDUMP)) {

+	/* bytecode can force dump by setting this flag */

+	dump = 1;

+    }

+    if (!dump)

+	return CL_CLEAN;

+    cli_dbgmsg("cli_pdf: dumping obj %u %u\n", obj->id>>8, obj->id);

     snprintf(fullname, sizeof(fullname), "%s"PATHSEP"pdf%02u", pdf->dir, pdf->files++);

     fout = open(fullname,O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_BINARY, 0600);

     if (fout < 0) {

@@ -541,7 +536,6 @@ static int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj)

 			   pdf->size - obj->start,

 			   &p_stream, &p_endstream);

 	if (p_stream && p_endstream) {

-	    int rc2;

 	    const char *flate_in;

 	    long ascii_decoded_size = 0;

 	    size_t size = p_endstream - p_stream;

@@ -629,13 +623,6 @@ static int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj)

 		if (filter_writen(pdf, obj, fout, flate_in, ascii_decoded_size, &sum) != ascii_decoded_size)

 		    rc = CL_EWRITE;

 	    }

-	    cli_updatelimits(pdf->ctx, sum);

-	    /* TODO: invoke bytecode on this pdf obj with metainformation associated

-	     * */

-	    lseek(fout, 0, SEEK_SET);

-	    rc2 = cli_magic_scandesc(fout, pdf->ctx);

-	    if (rc2 == CL_VIRUS || rc == CL_SUCCESS)

-		rc = rc2;

 	}

     } else if (obj->flags & (1 << OBJ_JAVASCRIPT)) {

 	const char *q2;

@@ -689,6 +676,21 @@ static int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj)

     }

     } while (0);

     cli_dbgmsg("cli_pdf: extracted %ld bytes %u %u obj to %s\n", sum, obj->id>>8, obj->id&0xff, fullname);

+    if (sum) {

+	int rc2;

+	cli_updatelimits(pdf->ctx, sum);

+	/* TODO: invoke bytecode on this pdf obj with metainformation associated

+	 * */

+	lseek(fout, 0, SEEK_SET);

+	rc2 = cli_magic_scandesc(fout, pdf->ctx);

+	if (rc2 == CL_VIRUS || rc == CL_SUCCESS)

+	    rc = rc2;

+	if (rc == CL_CLEAN) {

+	    rc2 = run_pdf_hooks(pdf, PDF_PHASE_POSTDUMP, fout, obj - pdf->objs);

+	    if (rc2 == CL_VIRUS)

+		rc = rc2;

+	}

+    }

     close(fout);

     free(ascii_decoded);

     if (!pdf->ctx->engine->keeptmp)

@@ -709,7 +711,7 @@ enum objstate {

 struct pdfname_action {

     const char *pdfname;

-    enum objflags set_objflag;/* OBJ_DICT is noop */

+    enum pdf_objflags set_objflag;/* OBJ_DICT is noop */

     enum objstate from_state;/* STATE_NONE is noop */

     enum objstate to_state;

 };

@@ -896,7 +898,7 @@ static void pdf_parseobj(struct pdf_struct *pdf, struct pdf_obj *obj)

 				   objid >> 8, objid&0xff);

 			obj2 = find_obj(pdf, obj, objid);

 			if (obj2) {

-			    enum objflags flag = objstate == STATE_JAVASCRIPT ?

+			    enum pdf_objflags flag = objstate == STATE_JAVASCRIPT ?

 				OBJ_JAVASCRIPT : OBJ_OPENACTION;

 			    obj2->flags |= 1 << flag;

 			    obj->flags &= ~(1 << flag);

@@ -1026,7 +1028,8 @@ int cli_pdf(const char *dir, cli_ctx *ctx, off_t offset)

     size -= offset;

     pdf.size = size;

-    pdf.map = fmap_need_off_once(map, offset, size);