@@ -1,3 +1,8 @@

+Wed Apr  5 00:38:15 CEST 2006 (tk)

+----------------------------------

+  * libclamav/zziplib: fix possible crash on FreeBSD

+		       Reported by Robert Rebbun <robert*desertsurf.com>

+

 Wed Mar 29 15:45:03 CEST 2006 (tk)

 ----------------------------------

   * libclamav/scanners.c: properly report archive unpacking errors

@@ -208,7 +208,7 @@ zzip_file_open(ZZIP_DIR * dir, zzip_char_t* name, int o_mode, int d_off)

                 /* memset(zfp, 0, sizeof *fp); cleared in zzip_file_close() */

             }else

             {

-                if (! (fp = (ZZIP_FILE *)calloc(1, sizeof(*fp))))

+                if (! (fp = (ZZIP_FILE *)cli_calloc(1, sizeof(*fp))))

                     { err =  ZZIP_OUTOFMEM; goto error; }

             }

@@ -220,7 +220,7 @@ zzip_file_open(ZZIP_DIR * dir, zzip_char_t* name, int o_mode, int d_off)

               { fp->buf32k = dir->cache.buf32k; dir->cache.buf32k = NULL; }

             else

             {

-                if (! (fp->buf32k = (char *)malloc(ZZIP_32K)))

+                if (! (fp->buf32k = (char *)cli_malloc(ZZIP_32K)))

                     { err = ZZIP_OUTOFMEM; goto error; }

             }

@@ -710,7 +710,7 @@ zzip_open_shared_io (ZZIP_FILE* stream,

 	int fd = os->open(filename, o_flags); /* io->open */

         if (fd != -1)

         {

-            ZZIP_FILE* fp = calloc (1, sizeof(ZZIP_FILE));

+            ZZIP_FILE* fp = cli_calloc (1, sizeof(ZZIP_FILE));

             if (!fp) { os->close(fd); return 0; } /* io->close */

             fp->fd = fd; 

@@ -973,7 +973,7 @@ zzip_seek(ZZIP_FILE * fp, zzip_off_t offset, int whence)

     { /* method == 8, inflate */

         char *buf;

         /*FIXME: use a static buffer! */

-        buf = (char *)malloc(ZZIP_32K);

+        buf = (char *)cli_malloc(ZZIP_32K);

         if (! buf) return -1;

         while (read_size > 0)  

@@ -26,9 +26,9 @@

 #include <stdlib.h>

 #include <string.h>

 #include <fcntl.h>

-#ifdef ZZIP_HAVE_SYS_STAT_H

+#include <sys/types.h>

 #include <sys/stat.h>

-#endif

+#include <unistd.h>

 /*

 #include "__mmap.h"

@@ -185,7 +185,7 @@ __zzip_find_disk_trailer(int fd, zzip_off_t filesize,

     auto char buffer[2*ZZIP_BUFSIZ];

     char* buf = buffer;

 #else

-    char* buf = malloc(2*ZZIP_BUFSIZ);

+    char* buf = cli_malloc(2*ZZIP_BUFSIZ);

 #endif

     zzip_off_t offset = 0;

     zzip_off_t maplen = 0; /* mmap(),read(),getpagesize() use size_t !! */

@@ -349,12 +349,24 @@ __zzip_parse_root_directory(int fd,

     long offset;          /* offset from start of root directory */

     char* fd_map = 0; 

     int32_t  fd_gap = 0;

+    struct stat sb;

     uint16_t u_entries  = ZZIP_GET16(trailer->z_entries);   

     uint32_t u_rootsize = ZZIP_GET32(trailer->z_rootsize);  

     uint32_t u_rootseek = ZZIP_GET32(trailer->z_rootseek);

     __correct_rootseek (u_rootseek, u_rootsize, trailer);

-    hdr0 = (struct zzip_dir_hdr*) malloc(u_rootsize);

+

+    if(fstat(fd, &sb) == -1) {

+	cli_errmsg("zziplib: Can't fstat file descriptor %d\n", fd);

+	return ZZIP_DIR_STAT;

+    }

+

+    if(u_rootsize > sb.st_size) {

+	cli_errmsg("zziplib: Incorrect root size\n");

+	return ZZIP_CORRUPTED;

+    }

+

+    hdr0 = (struct zzip_dir_hdr*) cli_malloc(u_rootsize);

     if (!hdr0) 

         return ZZIP_DIRSIZE;

     hdr = hdr0;                  __debug_dir_hdr (hdr);

@@ -533,7 +545,7 @@ ZZIP_DIR*

 zzip_dir_alloc_ext_io (zzip_strings_t* ext, const zzip_plugin_io_t io)

 {

     ZZIP_DIR* dir;

-    if ((dir = (ZZIP_DIR *)calloc(1, sizeof(*dir))) == NULL)

+    if ((dir = (ZZIP_DIR *)cli_calloc(1, sizeof(*dir))) == NULL)

         return 0; 

     /* dir->fileext is currently unused - so what, still initialize it */