git-svn: trunk@1883
Tomasz Kojm authored on 2006/04/05 07:40:13... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Wed Apr 5 00:38:15 CEST 2006 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/zziplib: fix possible crash on FreeBSD |
|
4 |
+ Reported by Robert Rebbun <robert*desertsurf.com> |
|
5 |
+ |
|
1 | 6 |
Wed Mar 29 15:45:03 CEST 2006 (tk) |
2 | 7 |
---------------------------------- |
3 | 8 |
* libclamav/scanners.c: properly report archive unpacking errors |
... | ... |
@@ -208,7 +208,7 @@ zzip_file_open(ZZIP_DIR * dir, zzip_char_t* name, int o_mode, int d_off) |
208 | 208 |
/* memset(zfp, 0, sizeof *fp); cleared in zzip_file_close() */ |
209 | 209 |
}else |
210 | 210 |
{ |
211 |
- if (! (fp = (ZZIP_FILE *)calloc(1, sizeof(*fp)))) |
|
211 |
+ if (! (fp = (ZZIP_FILE *)cli_calloc(1, sizeof(*fp)))) |
|
212 | 212 |
{ err = ZZIP_OUTOFMEM; goto error; } |
213 | 213 |
} |
214 | 214 |
|
... | ... |
@@ -220,7 +220,7 @@ zzip_file_open(ZZIP_DIR * dir, zzip_char_t* name, int o_mode, int d_off) |
220 | 220 |
{ fp->buf32k = dir->cache.buf32k; dir->cache.buf32k = NULL; } |
221 | 221 |
else |
222 | 222 |
{ |
223 |
- if (! (fp->buf32k = (char *)malloc(ZZIP_32K))) |
|
223 |
+ if (! (fp->buf32k = (char *)cli_malloc(ZZIP_32K))) |
|
224 | 224 |
{ err = ZZIP_OUTOFMEM; goto error; } |
225 | 225 |
} |
226 | 226 |
|
... | ... |
@@ -710,7 +710,7 @@ zzip_open_shared_io (ZZIP_FILE* stream, |
710 | 710 |
int fd = os->open(filename, o_flags); /* io->open */ |
711 | 711 |
if (fd != -1) |
712 | 712 |
{ |
713 |
- ZZIP_FILE* fp = calloc (1, sizeof(ZZIP_FILE)); |
|
713 |
+ ZZIP_FILE* fp = cli_calloc (1, sizeof(ZZIP_FILE)); |
|
714 | 714 |
if (!fp) { os->close(fd); return 0; } /* io->close */ |
715 | 715 |
|
716 | 716 |
fp->fd = fd; |
... | ... |
@@ -973,7 +973,7 @@ zzip_seek(ZZIP_FILE * fp, zzip_off_t offset, int whence) |
973 | 973 |
{ /* method == 8, inflate */ |
974 | 974 |
char *buf; |
975 | 975 |
/*FIXME: use a static buffer! */ |
976 |
- buf = (char *)malloc(ZZIP_32K); |
|
976 |
+ buf = (char *)cli_malloc(ZZIP_32K); |
|
977 | 977 |
if (! buf) return -1; |
978 | 978 |
|
979 | 979 |
while (read_size > 0) |
... | ... |
@@ -26,9 +26,9 @@ |
26 | 26 |
#include <stdlib.h> |
27 | 27 |
#include <string.h> |
28 | 28 |
#include <fcntl.h> |
29 |
-#ifdef ZZIP_HAVE_SYS_STAT_H |
|
29 |
+#include <sys/types.h> |
|
30 | 30 |
#include <sys/stat.h> |
31 |
-#endif |
|
31 |
+#include <unistd.h> |
|
32 | 32 |
|
33 | 33 |
/* |
34 | 34 |
#include "__mmap.h" |
... | ... |
@@ -185,7 +185,7 @@ __zzip_find_disk_trailer(int fd, zzip_off_t filesize, |
185 | 185 |
auto char buffer[2*ZZIP_BUFSIZ]; |
186 | 186 |
char* buf = buffer; |
187 | 187 |
#else |
188 |
- char* buf = malloc(2*ZZIP_BUFSIZ); |
|
188 |
+ char* buf = cli_malloc(2*ZZIP_BUFSIZ); |
|
189 | 189 |
#endif |
190 | 190 |
zzip_off_t offset = 0; |
191 | 191 |
zzip_off_t maplen = 0; /* mmap(),read(),getpagesize() use size_t !! */ |
... | ... |
@@ -349,12 +349,24 @@ __zzip_parse_root_directory(int fd, |
349 | 349 |
long offset; /* offset from start of root directory */ |
350 | 350 |
char* fd_map = 0; |
351 | 351 |
int32_t fd_gap = 0; |
352 |
+ struct stat sb; |
|
352 | 353 |
uint16_t u_entries = ZZIP_GET16(trailer->z_entries); |
353 | 354 |
uint32_t u_rootsize = ZZIP_GET32(trailer->z_rootsize); |
354 | 355 |
uint32_t u_rootseek = ZZIP_GET32(trailer->z_rootseek); |
355 | 356 |
__correct_rootseek (u_rootseek, u_rootsize, trailer); |
356 | 357 |
|
357 |
- hdr0 = (struct zzip_dir_hdr*) malloc(u_rootsize); |
|
358 |
+ |
|
359 |
+ if(fstat(fd, &sb) == -1) { |
|
360 |
+ cli_errmsg("zziplib: Can't fstat file descriptor %d\n", fd); |
|
361 |
+ return ZZIP_DIR_STAT; |
|
362 |
+ } |
|
363 |
+ |
|
364 |
+ if(u_rootsize > sb.st_size) { |
|
365 |
+ cli_errmsg("zziplib: Incorrect root size\n"); |
|
366 |
+ return ZZIP_CORRUPTED; |
|
367 |
+ } |
|
368 |
+ |
|
369 |
+ hdr0 = (struct zzip_dir_hdr*) cli_malloc(u_rootsize); |
|
358 | 370 |
if (!hdr0) |
359 | 371 |
return ZZIP_DIRSIZE; |
360 | 372 |
hdr = hdr0; __debug_dir_hdr (hdr); |
... | ... |
@@ -533,7 +545,7 @@ ZZIP_DIR* |
533 | 533 |
zzip_dir_alloc_ext_io (zzip_strings_t* ext, const zzip_plugin_io_t io) |
534 | 534 |
{ |
535 | 535 |
ZZIP_DIR* dir; |
536 |
- if ((dir = (ZZIP_DIR *)calloc(1, sizeof(*dir))) == NULL) |
|
536 |
+ if ((dir = (ZZIP_DIR *)cli_calloc(1, sizeof(*dir))) == NULL) |
|
537 | 537 |
return 0; |
538 | 538 |
|
539 | 539 |
/* dir->fileext is currently unused - so what, still initialize it */ |