@@ -1,3 +1,8 @@

+Mon Apr  6 21:58:45 CEST 2009 (tk)

+----------------------------------

+ * libclamav: fix handling of signature offsets in cli_scanbuff() (bb#1546)

+	      Reported by Christoph

+

 Mon Apr  6 12:32:44 EEST 2009 (edwin)

 -------------------------------------

  * docs/man/clamd.conf.5.in, etc/clamd.conf, shared/optparser.c: fix

@@ -590,7 +590,7 @@ fileblobAddData(fileblob *fb, const unsigned char *data, size_t len)

 					*ctx->scanned += (unsigned long)len / CL_COUNT_PRECISION;

 				fb->bytes_scanned += (unsigned long)len;

-				if((len > 5) && cli_updatelimits(ctx, len)==CL_CLEAN && (cli_scanbuff(data, (unsigned int)len, ctx->virname, ctx->engine, CL_TYPE_BINARY_DATA, NULL) == CL_VIRUS)) {

+				if((len > 5) && cli_updatelimits(ctx, len)==CL_CLEAN && (cli_scanbuff(data, (unsigned int)len, 0, ctx->virname, ctx->engine, CL_TYPE_BINARY_DATA, NULL) == CL_VIRUS)) {

 					cli_dbgmsg("fileblobAddData: found %s\n", *ctx->virname);

 					fb->isInfected = 1;

 				}

@@ -46,7 +46,7 @@

 #include "default.h"

-int cli_scanbuff(const unsigned char *buffer, uint32_t length, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata)

+int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata)

 {

 	int ret = CL_CLEAN;

 	unsigned int i;

@@ -76,8 +76,8 @@ int cli_scanbuff(const unsigned char *buffer, uint32_t length, cli_ctx *ctx, cli

 	if(!acdata && (ret = cli_ac_initdata(&mdata, troot->ac_partsigs, troot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))

 	    return ret;

-	if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, 0, ftype, -1)) != CL_VIRUS)

-	    ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, troot, acdata ? (acdata[0]) : (&mdata), 0, ftype, -1, NULL, AC_SCAN_VIR, NULL);

+	if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, offset, ftype, -1)) != CL_VIRUS)

+	    ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, troot, acdata ? (acdata[0]) : (&mdata), offset, ftype, -1, NULL, AC_SCAN_VIR, NULL);

 	if(!acdata)

 	    cli_ac_freedata(&mdata);

@@ -89,8 +89,8 @@ int cli_scanbuff(const unsigned char *buffer, uint32_t length, cli_ctx *ctx, cli

     if(!acdata && (ret = cli_ac_initdata(&mdata, groot->ac_partsigs, groot->ac_lsigs, CLI_DEFAULT_AC_TRACKLEN)))

 	return ret;

-    if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, 0, ftype, -1)) != CL_VIRUS)

-	ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, groot, acdata ? (acdata[1]) : (&mdata), 0, ftype, -1, NULL, AC_SCAN_VIR, NULL);

+    if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, offset, ftype, -1)) != CL_VIRUS)

+	ret = cli_ac_scanbuff(buffer, length, virname, NULL, NULL, groot, acdata ? (acdata[1]) : (&mdata), offset, ftype, -1, NULL, AC_SCAN_VIR, NULL);

     if(!acdata)

 	cli_ac_freedata(&mdata);

@@ -108,6 +108,17 @@ off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_f

     *ret = 0;

+    if((pt = strchr(offstr, ',')))

+	*maxshift = atoi(++pt);

+

+    if(isdigit(offstr[0]))

+	return atoi(offstr);

+

+    if(fd == -1) {

+	*ret = -1;

+	return 0;

+    }

+

     if(!strncmp(offstr, "EP", 2) || offstr[0] == 'S') {

 	if(info->status == -1) {

@@ -140,13 +151,7 @@ off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_f

 	}

     }

-    if((pt = strchr(offstr, ',')))

-	*maxshift = atoi(++pt);

-

-    if(isdigit(offstr[0])) {

-	return atoi(offstr);

-

-    } else if(info->status == 1 && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) {

+    if(info->status == 1 && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) {

 	if(offstr[2] == '+')

 	    return info->exeinfo.ep + atoi(offstr + 3);

@@ -229,13 +234,11 @@ int cli_validatesig(cli_file_t ftype, const char *offstr, off_t fileoff, struct

 	unsigned int maxshift = 0;

-    if(offstr && desc != -1) {

+    if(offstr) {

 	offset = cli_caloff(offstr, info, desc, ftype, &ret, &maxshift);

-	if(ret == -1) {

-	    cli_dbgmsg("cli_validatesig: Can't calculate offset for signature %s\n", virname);

+	if(ret == -1)

 	    return 0;

-	}

 	if(maxshift) {

 	    if((fileoff < offset) || (fileoff > offset + (off_t) maxshift)) {

@@ -123,7 +123,7 @@ struct cli_target_info {

     int8_t status; /* 0 == not initialised, 1 == initialised OK, -1 == error */

 };

-int cli_scanbuff(const unsigned char *buffer, uint32_t length, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata);

+int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata);

 int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode);

@@ -1043,7 +1043,7 @@ save_text(cli_ctx *ctx, const char *dir, const char *start, size_t len)

 		 *	in this way. It gets the "filetype" wrong and then

 		 *	doesn't scan correctly

 		 */

-		if(cli_scanbuff((char *)p, len, ctx, CL_TYPE_BINARY_DATA, NULL) == CL_VIRUS) {

+		if(cli_scanbuff((char *)p, len, 0, ctx, CL_TYPE_BINARY_DATA, NULL) == CL_VIRUS) {

 			cli_dbgmsg("save_text: found %s\n", *ctx->virname);

 			return CL_VIRUS;

 		}

@@ -780,7 +780,7 @@ static int cli_vba_scandir(const char *dirname, cli_ctx *ctx, struct uniq *U)

 		    /* cli_dbgmsg("Project content:\n%s", data); */

 		    if(ctx->scanned)

 			*ctx->scanned += data_len / CL_COUNT_PRECISION;

-		    if(cli_scanbuff(data, data_len, ctx, CL_TYPE_MSOLE2, NULL) == CL_VIRUS) {

+		    if(cli_scanbuff(data, data_len, 0, ctx, CL_TYPE_MSOLE2, NULL) == CL_VIRUS) {

 			free(data);

 			ret = CL_VIRUS;

 			break;

@@ -838,7 +838,7 @@ static int cli_vba_scandir(const char *dirname, cli_ctx *ctx, struct uniq *U)

 			cli_dbgmsg("Project content:\n%s", data);

 			if(ctx->scanned)

 			    *ctx->scanned += vba_project->length[i] / CL_COUNT_PRECISION;

-			if(cli_scanbuff(data, vba_project->length[i], ctx, CL_TYPE_MSOLE2, NULL) == CL_VIRUS) {

+			if(cli_scanbuff(data, vba_project->length[i], 0, ctx, CL_TYPE_MSOLE2, NULL) == CL_VIRUS) {

 				free(data);

 				ret = CL_VIRUS;

 				break;

@@ -1012,7 +1012,7 @@ static int cli_scanscript(int desc, cli_ctx *ctx)

 	int ofd = -1, ret;

 	ssize_t nread;

 	const struct cli_matcher *troot = ctx->engine->root[7];

-	uint32_t maxpatlen = troot ? troot->maxpatlen : 0;

+	uint32_t maxpatlen = troot ? troot->maxpatlen : 0, offset = 0;

 	struct cli_matcher *groot = ctx->engine->root[0];

 	struct cli_ac_data gmdata, tmdata;

 	struct cli_ac_data *mdata[2];

@@ -1068,10 +1068,13 @@ static int cli_scanscript(int desc, cli_ctx *ctx)

 				/* we can continue to scan in memory */

 			}

 			/* when we flush the buffer also scan */

-			if(cli_scanbuff(state.out, state.out_pos, ctx, CL_TYPE_TEXT_ASCII, mdata) == CL_VIRUS) {

+			if(cli_scanbuff(state.out, state.out_pos, offset, ctx, CL_TYPE_TEXT_ASCII, mdata) == CL_VIRUS) {

 				ret = CL_VIRUS;

 				break;

 			}

+			if(ctx->scanned)

+			    *ctx->scanned += state.out_pos / CL_COUNT_PRECISION;

+			offset += state.out_pos;

 			/* carry over maxpatlen from previous buffer */

 			if (state.out_pos > maxpatlen)

 				memmove(state.out, state.out + state.out_pos - maxpatlen, maxpatlen);