@@ -1,3 +1,9 @@

+Wed Apr  5 00:52:12 CEST 2006 (tk)

+----------------------------------

+  * libclamav/pe.c: fix possible integer overflow reported by Damian Put

+		    Note: only exploitable if file size limit

+		    (ArchiveMaxFileSize) disabled

+

 Wed Apr  5 00:38:15 CEST 2006 (tk)

 ----------------------------------

   * libclamav/zziplib: fix possible crash on FreeBSD

@@ -319,16 +319,18 @@ int cli_scanpe(int desc, cli_ctx *ctx)

     }

     nsections = EC16(file_hdr.NumberOfSections);

-    if(nsections < 1) {

+    if(nsections < 1 || nsections > 99) {

 	if(DETECT_BROKEN) {

 	    if(ctx->virname)

 		*ctx->virname = "Broken.Executable";

 	    return CL_VIRUS;

 	}

-	cli_warnmsg("PE file contains no sections\n");

+	if(nsections)

+	    cli_warnmsg("PE file contains %d sections\n", nsections);

+	else

+	    cli_warnmsg("PE file contains no sections\n");

 	return CL_CLEAN;

     }

-

     cli_dbgmsg("NumberOfSections: %d\n", nsections);

     timestamp = (time_t) EC32(file_hdr.TimeDateStamp);

@@ -668,7 +670,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		    uint32_t newesi, newedi, newebx, newedx;

 		if(ctx->limits && ctx->limits->maxfilesize && (ssize > ctx->limits->maxfilesize || dsize > ctx->limits->maxfilesize)) {

-		    cli_dbgmsg("FSG: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);

+		    cli_dbgmsg("FSG: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);

 		    free(section_hdr);

 		    if(BLOCKMAX) {

 			*ctx->virname = "PE.FSG.ExceededFileSize";

@@ -827,7 +829,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		if(ctx->limits && ctx->limits->maxfilesize && (ssize > ctx->limits->maxfilesize || dsize > ctx->limits->maxfilesize)) {

-		    cli_dbgmsg("FSG: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize, ctx->limits->maxfilesize);

+		    cli_dbgmsg("FSG: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize, ctx->limits->maxfilesize);

 		    free(section_hdr);

 		    if(BLOCKMAX) {

 			*ctx->virname = "PE.FSG.ExceededFileSize";

@@ -1049,7 +1051,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		}

 		if(ctx->limits && ctx->limits->maxfilesize && (ssize > ctx->limits->maxfilesize || dsize > ctx->limits->maxfilesize)) {

-		    cli_dbgmsg("FSG: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize, ctx->limits->maxfilesize);

+		    cli_dbgmsg("FSG: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize, ctx->limits->maxfilesize);

 		    free(section_hdr);

 		    if(BLOCKMAX) {

 			*ctx->virname = "PE.FSG.ExceededFileSize";

@@ -1241,7 +1243,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    dsize = EC32(section_hdr[i].VirtualSize) + EC32(section_hdr[i + 1].VirtualSize);

 	    if(ctx->limits && ctx->limits->maxfilesize && (ssize > ctx->limits->maxfilesize || dsize > ctx->limits->maxfilesize)) {

-		cli_dbgmsg("UPX: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);

+		cli_dbgmsg("UPX: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);

 		free(section_hdr);

 		if(BLOCKMAX) {

 		    *ctx->virname = "PE.UPX.ExceededFileSize";

@@ -1263,6 +1265,13 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		return CL_EMEM;

 	    }

+	    if(dsize > CLI_MAX_ALLOCATION) {

+		cli_errmsg("UPX: Too big value of dsize\n");

+		free(section_hdr);

+		free(src);

+		return CL_EMEM;

+	    }

+

 	    if((dest = (char *) cli_calloc(dsize + 1024 + nsections * 40, sizeof(char))) == NULL) {

 		free(section_hdr);

 		free(src);

@@ -1437,7 +1446,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    dsize = max - min;

 	    if(ctx->limits && ctx->limits->maxfilesize && dsize > ctx->limits->maxfilesize) {

-		cli_dbgmsg("Petite: Size exceeded (dsize: %d, max: %lu)\n", dsize, ctx->limits->maxfilesize);

+		cli_dbgmsg("Petite: Size exceeded (dsize: %u, max: %lu)\n", dsize, ctx->limits->maxfilesize);

 		free(section_hdr);

 		if(BLOCKMAX) {

 		    *ctx->virname = "PE.Petite.ExceededFileSize";