@@ -171,6 +171,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;

 	char *src = NULL, *dest = NULL;

 	int ndesc, ret;

+	size_t fsize;

     if(read(desc, &e_magic, sizeof(e_magic)) != sizeof(e_magic)) {

@@ -473,6 +474,8 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	return CL_EIO;

     }

+    fsize = sb.st_size;

+

     section_hdr = (struct pe_image_section_hdr *) cli_calloc(nsections, sizeof(struct pe_image_section_hdr));

     if(!section_hdr) {

@@ -524,8 +527,8 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	cli_dbgmsg("------------------------------------\n");

-	if(EC32(section_hdr[i].PointerToRawData) + EC32(section_hdr[i].SizeOfRawData) > (unsigned long int) sb.st_size) {

-	    cli_dbgmsg("Possibly broken PE file - Section %d out of file (Offset@ %d, Rsize %d, Total filesize %d)\n", i, EC32(section_hdr[i].PointerToRawData), EC32(section_hdr[i].SizeOfRawData), sb.st_size);

+	if(!CLI_ISCONTAINED(0, (uint32_t) fsize, EC32(section_hdr[i].PointerToRawData), EC32(section_hdr[i].SizeOfRawData)) || EC32(section_hdr[i].PointerToRawData) >= fsize) {

+	    cli_dbgmsg("Possibly broken PE file - Section %d out of file (Offset@ %d, Rsize %d, Total filesize %d)\n", i, EC32(section_hdr[i].PointerToRawData), EC32(section_hdr[i].SizeOfRawData), fsize);

 	    if(DETECT_BROKEN) {

 		if(virname)

 		    *virname = "Broken.Executable";

@@ -753,7 +756,9 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 		    return CL_EMEM;

 		}

-		tempfile = cli_gentemp(NULL);

+		if(!(tempfile = cli_gentemp(NULL)))

+		    return CL_EMEM;

+

 		if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 		    cli_dbgmsg("FSG: Can't create file %s\n", tempfile);

 		    free(tempfile);

@@ -951,7 +956,9 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 		oldep = EC32(optional_hdr32.AddressOfEntryPoint) + 161 + 6 + cli_readint32(buff+163);

 		cli_dbgmsg("FSG: found old EP @%x\n", oldep);

-		tempfile = cli_gentemp(NULL);

+		if(!(tempfile = cli_gentemp(NULL)))

+		    return CL_EMEM;

+

 		if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 		    cli_dbgmsg("FSG: Can't create file %s\n", tempfile);

 		    free(tempfile);

@@ -1154,7 +1161,9 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 		oldep = EC32(optional_hdr32.AddressOfEntryPoint) + gp + 6 + cli_readint32(src+gp+2+oldep);

 		cli_dbgmsg("FSG: found old EP @%x\n", oldep);

-		tempfile = cli_gentemp(NULL);

+		if(!(tempfile = cli_gentemp(NULL)))

+		    return CL_EMEM;

+

 		if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 		    cli_dbgmsg("FSG: Can't create file %s\n", tempfile);

 		    free(tempfile);

@@ -1363,7 +1372,9 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	    free(src);

 	    free(section_hdr);

-	    tempfile = cli_gentemp(NULL);

+	    if(!(tempfile = cli_gentemp(NULL)))

+		return CL_EMEM;

+

 	    if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 		cli_dbgmsg("UPX/FSG: Can't create file %s\n", tempfile);

 		free(tempfile);

@@ -1458,7 +1469,9 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 		}

 	    }

-	    tempfile = cli_gentemp(NULL);

+	    if(!(tempfile = cli_gentemp(NULL)))

+		return CL_EMEM;

+

 	    if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 		cli_dbgmsg("Petite: Can't create file %s\n", tempfile);

 		free(tempfile);

@@ -1520,28 +1533,24 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

        EC32(optional_hdr32.AddressOfEntryPoint) < EC32(section_hdr[nsections - 1].VirtualAddress) + EC32(section_hdr[nsections - 1].SizeOfRawData) - 0x3217 - 4 &&

        memcmp(buff+4, "\xe8\x00\x00\x00\x00\x8b\x1c\x24\x83\xc3", 10) == 0)  {

-	    struct stat fstats;

 	    char *spinned;

-	if(fstat(desc, &fstats) == -1) {

-	    free(section_hdr);

-	    return CL_EIO;

-	}

-

-	if((spinned = (char *) cli_malloc(fstats.st_size)) == NULL) {

+	if((spinned = (char *) cli_malloc(fsize)) == NULL) {

 	    free(section_hdr);

 	    return CL_EMEM;

 	}

 	lseek(desc, 0, SEEK_SET);

-	if(read(desc, spinned, fstats.st_size) != fstats.st_size) {

-	    cli_dbgmsg("PESpin: Can't read %d bytes\n", fstats.st_size);

+	if(read(desc, spinned, fsize) != fsize) {

+	    cli_dbgmsg("PESpin: Can't read %d bytes\n", fsize);

 	    free(spinned);

 	    free(section_hdr);

 	    return CL_EIO;

 	}

-	tempfile = cli_gentemp(NULL);

+	if(!(tempfile = cli_gentemp(NULL)))

+	    return CL_EMEM;

+

 	if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 	    cli_dbgmsg("PESpin: Can't create file %s\n", tempfile);

 	    free(tempfile);

@@ -1550,7 +1559,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	    return CL_EIO;

 	}

-	if(!unspin(spinned, fstats.st_size, section_hdr, nsections - 1, EC32(optional_hdr32.AddressOfEntryPoint), ndesc)) {

+	if(!unspin(spinned, fsize, section_hdr, nsections - 1, EC32(optional_hdr32.AddressOfEntryPoint), ndesc)) {

 	    free(spinned);

 	    cli_dbgmsg("PESpin: Unpacked and rebuilt executable saved in %s\n", tempfile);

 	    fsync(ndesc);

@@ -1589,29 +1598,25 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

        EC32(optional_hdr32.AddressOfEntryPoint) == EC32(section_hdr[nsections - 1].VirtualAddress) + 0x60 &&

        memcmp(buff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED\x6C\x28\x40\x00\xB9\x5D\x34\x40\x00\x81\xE9\xC6\x28\x40\x00\x8B\xD5\x81\xC2\xC6\x28\x40\x00\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 51) == 0)  {

-	    struct stat fstats;

 	    char *spinned;

-	if(fstat(desc, &fstats) == -1) {

-	    free(section_hdr);

-	    return CL_EIO;

-	}

-

-	if ( fstats.st_size >= EC32(section_hdr[nsections - 1].PointerToRawData) + 0xC6 + 0xb97 ) { /* size check on yC sect */

-	  if((spinned = (char *) cli_malloc(fstats.st_size)) == NULL) {

+	if ( fsize >= EC32(section_hdr[nsections - 1].PointerToRawData) + 0xC6 + 0xb97 ) { /* size check on yC sect */

+	  if((spinned = (char *) cli_malloc(fsize)) == NULL) {

 	    free(section_hdr);

 	    return CL_EMEM;

 	  }

 	  lseek(desc, 0, SEEK_SET);

-	  if(read(desc, spinned, fstats.st_size) != fstats.st_size) {

-	    cli_dbgmsg("yC: Can't read %d bytes\n", fstats.st_size);

+	  if(read(desc, spinned, fsize) != fsize) {

+	    cli_dbgmsg("yC: Can't read %d bytes\n", fsize);

 	    free(spinned);

 	    free(section_hdr);

 	    return CL_EIO;

 	  }

-	  

-	  tempfile = cli_gentemp(NULL);

+

+	  if(!(tempfile = cli_gentemp(NULL)))

+	      return CL_EMEM;

+

 	  if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

 	    cli_dbgmsg("yC: Can't create file %s\n", tempfile);

 	    free(tempfile);

@@ -1619,8 +1624,8 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	    free(section_hdr);

 	    return CL_EIO;

 	  }

-	  

-	  if(!yc_decrypt(spinned, fstats.st_size, section_hdr, nsections-1, e_lfanew, ndesc)) {

+

+	  if(!yc_decrypt(spinned, fsize, section_hdr, nsections-1, e_lfanew, ndesc)) {

 	    free(spinned);

 	    cli_dbgmsg("yC: Unpacked and rebuilt executable saved in %s\n", tempfile);

 	    fsync(ndesc);

@@ -1651,7 +1656,6 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	    free(tempfile);

 	  }

-

 	}

     }

@@ -35,7 +35,7 @@

 #include "others.h"

-// Macros were created by aCaB

+/* Macros were created by aCaB */

 #define ROL(a,b) a = ( a << (b % (sizeof(a)<<3) ))  |  (a >> (  (sizeof(a)<<3)  -  (b % (sizeof(a)<<3 )) ) )

 #define ROR(a,b) a = ( a >> (b % (sizeof(a)<<3) ))  |  (a << (  (sizeof(a)<<3)  -  (b % (sizeof(a)<<3 )) ) )

@@ -54,9 +54,9 @@ static inline uint32_t EC32(uint32_t v)

 }

 #endif

-//==================================================================================

-// "Emulates" the poly decryptors

-//

+/* ========================================================================== */

+/* "Emulates" the poly decryptors */

+

 static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx)

 {

@@ -77,56 +77,55 @@ static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx

      D2C0             ROL AL,CL

   */

-  //	unsigned int ecx = len2decrypt;

   unsigned char al;

   unsigned char cl = ecx & 0xff;

   unsigned int j=0,i=0;

-  for(i;i<ecx;i++) // Byte looper - Decrypts every byte and write it back

+  for(i;i<ecx;i++) /* Byte looper - Decrypts every byte and write it back */

     {

       al = code[i];

-      for(j=0;j<0x30;j++)   // Poly Decryptor "Emulator"

+      for(j=0;j<0x30;j++)   /* Poly Decryptor "Emulator" */

 	{

 	  switch(decryptor_offset[j])

 	    {

-	    case '\xEB':	// JMP short

+	    case '\xEB':	/* JMP short */

 	      j++;

 	      j = j + decryptor_offset[j];

 	      break;

-	    case '\xFE':	// DEC  AL

+	    case '\xFE':	/* DEC  AL */

 	      al--;

 	      j++;

 	      break;

-	    case '\x2A':	// SUB AL,CL

+	    case '\x2A':	/* SUB AL,CL */

 	      al = al - cl;

 	      j++;

 	      break;

-	    case '\x02':	// ADD AL,CL

+	    case '\x02':	/* ADD AL,CL */

 	      al = al + cl;

 	      j++;

 	      break

 		;

-	    case '\x32':	// XOR AL,CL

+	    case '\x32':	/* XOR AL,CL */

 	      al = al ^ cl;

 	      j++;

 	      break;

 	      ;

-	    case '\x04':	// ADD AL,num

+	    case '\x04':	/* ADD AL,num */

 	      j++;

 	      al = al + decryptor_offset[j];

 	      break;

 	      ;

-	    case '\x34':	// XOR AL,num

+	    case '\x34':	/* XOR AL,num */

 	      j++;

 	      al = al ^ decryptor_offset[j];

 	      break;

-	    case '\x2C':	// SUB AL,num

+	    case '\x2C':	/* SUB AL,num */

 	      j++;

 	      al = al - decryptor_offset[j];

 	      break;

@@ -134,12 +133,12 @@ static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx

 	    case '\xC0':

 	      j++;

-	      if(decryptor_offset[j]=='\xC0') // ROL AL,num

+	      if(decryptor_offset[j]=='\xC0') /* ROL AL,num */

 		{

 		  j++;

 		  al = ROL(al,decryptor_offset[j]);

 		}

-	      else			// ROR AL,num

+	      else			/* ROR AL,num */

 		{

 		  j++;

 		  ROR(al,decryptor_offset[j]);

@@ -148,12 +147,12 @@ static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx

 	    case '\xD2':

 	      j++;

-	      if(decryptor_offset[j]=='\xC8') // ROR AL,CL

+	      if(decryptor_offset[j]=='\xC8') /* ROR AL,CL */

 		{

 		  j++;

 		  ROR(al,cl);

 		}

-	      else			// ROL AL,CL

+	      else			/* ROL AL,CL */

 		{

 		  j++;

 		  ROL(al,cl);

@@ -177,9 +176,9 @@ static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx

 }

-//==================================================================================

-// Main routine which calls all others

-//

+/* ========================================================================== */

+/* Main routine which calls all others */

+

 int yc_decrypt(char *fbuf, unsigned int filesize, struct pe_image_section_hdr *sections, unsigned int sectcount, uint32_t peoffset, int desc)

 {

   uint32_t ycsect = EC32(sections[sectcount].PointerToRawData);

@@ -211,19 +210,19 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct pe_image_section_hdr *s

   */

-  // Loop through all sections and decrypt them...

+  /* Loop through all sections and decrypt them... */

   for(i;i<sectcount;i++)

     {

       uint32_t name = (uint32_t) cli_readint32((char *)sections[i].Name);

-      if ( name == 0x63727372 || // rsrc

-	   name == 0x7273722E || // .rsr

-	   name == 0x6F6C6572 || // relo

-	   name == 0x6C65722E || // .rel

-	   name == 0x6164652E || // .eda

-	   name == 0x6164722E || // .rda

-	   name == 0x6164692E || // .ida

-	   name == 0x736C742E || // .tls

-	   name&0xffff == 0x4379 || // yC

+      if ( name == 0x63727372 || /* rsrc */

+	   name == 0x7273722E || /* .rsr */

+	   name == 0x6F6C6572 || /* relo */

+	   name == 0x6C65722E || /* .rel */

+	   name == 0x6164652E || /* .eda */

+	   name == 0x6164722E || /* .rda */

+	   name == 0x6164692E || /* .ida */

+	   name == 0x736C742E || /* .tls */

+	   name&0xffff == 0x4379 || /* yC */

 	   EC32(sections[i].PointerToRawData) == 0 ||

 	   EC32(sections[i].SizeOfRawData) == 0 ) continue;

       cli_dbgmsg("yC: decrypting sect%d\n",i); 

@@ -231,23 +230,22 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct pe_image_section_hdr *s

 	return 1;

     }

-  // Remove yC section

-  pe->NumberOfSections=EC16(EC16(pe->NumberOfSections)-1);

+  /* Remove yC section */

+  pe->NumberOfSections=EC16(pe->NumberOfSections)-1;

-  // Remove IMPORT_DIRECTORY information

+  /* Remove IMPORT_DIRECTORY information */

   memset((char *)pe + sizeof(struct pe_image_file_hdr) + 0x68, 0, 8);

-  // OEP resolving

-  // OEP = DWORD PTR [ Start of yC section+ A0F]

+  /* OEP resolving */

+  /* OEP = DWORD PTR [ Start of yC section+ A0F] */

   cli_writeint32((char *)pe + sizeof(struct pe_image_file_hdr) + 16, cli_readint32(fbuf + ycsect + 0xa0f));

-  // Fix SizeOfImage

+  /* Fix SizeOfImage */

   cli_writeint32((char *)pe + sizeof(struct pe_image_file_hdr) + 0x38, cli_readint32((char *)pe + sizeof(struct pe_image_file_hdr) + 0x38) - EC32(sections[sectcount].VirtualSize));

   if (cli_writen(desc, fbuf, filesize)==-1) {

-    cli_dbgmsg("yc: Cannot write unpacked file\n");

+    cli_dbgmsg("yC: Cannot write unpacked file\n");

     return 1;

   }

   return 0;

 }

-