@@ -1,3 +1,16 @@

+Wed Feb 13 11:21:04 CET 2008 (tk)

+---------------------------------

+  * Merge security fixes:

+  * libclamav/mew.c: fix possible heap corruption (bb#806)

+    Found by Elliot, broken module disabled via daily.cvd published on Feb 2

+  * libclamav/pe.c: fix possible integer overflow (CVE-2008-0318)

+    Found by Silvio Cesare working with the VeriSign iDefense VCP;

+    broken module disabled via daily.cvd published on Jan 11, 2008

+  * libclamav/vba_extract.c: fix extraction of embedded files (bb#760)

+  * libclamav/cab.c: improve handling of stored files (bb#771)

+  * libclamav/scanners.c: respect recursion limits in cli_scanembpe() (bb#771)

+  * libclamav/unarj.c: improve bounds checking (bb#811)

+

 Wed Feb 13 12:11:08 EET 2008 (edwin)

 ------------------------------------

   * libclamav/htmlnorm.c: SVN r3619 broke phishing detection, fixed it

@@ -233,8 +233,10 @@ int cab_open(int fd, off_t offset, struct cab_archive *cab)

     cab->length = EC32(hdr.cbCabinet);

     cli_dbgmsg("CAB: Cabinet length: %u\n", cab->length);

-    if((off_t) cab->length > rsize)

+    if((off_t) cab->length > rsize) {

+	cab->length = (uint32_t) rsize;

 	bscore++;

+    }

     cab->nfolders = EC16(hdr.cFolders);

     if(!cab->nfolders) {

@@ -690,6 +692,10 @@ int cab_extract(struct cab_file *file, const char *name)

 	case 0x0000: /* STORE */

 	    cli_dbgmsg("CAB: Compression method: STORED\n");

 	    CAB_CHGFOLDER;

+	    if(file->length > file->cab->length) {

+		cli_dbgmsg("cab_extract: Stored file larger than archive itself, trimming down\n");

+		file->length = file->cab->length;

+	    }

 	    ret = cab_unstore(file, file->length);

 	    break;

@@ -784,13 +784,15 @@ int unmew11(char *src, int off, int ssize, int dsize, uint32_t base, uint32_t va

 	entry_point  = cli_readint32(source + 4);

 	newedi = cli_readint32(source + 8);

 	ledi = src + (newedi - vma);

+	loc_ds = size_sum - (newedi - vma);

 	i = 0;

-	ssize -= 12;

+	loc_ss -= 12;

+	loc_ss -= off;

 	while (1)

 	{

   		cli_dbgmsg("MEW unpacking section %d (%p->%p)\n", i, lesi, ledi);

-		if (!CLI_ISCONTAINED(src, size_sum, lesi, 4) || !CLI_ISCONTAINED(src, size_sum, ledi, 4))

+		if (!CLI_ISCONTAINED(src, size_sum, lesi, loc_ss) || !CLI_ISCONTAINED(src, size_sum, ledi, loc_ds))

 		{

 			cli_dbgmsg("Possibly programmer error or hand-crafted PE file, report to clamav team\n");

 			return -1;

@@ -810,10 +812,11 @@ int unmew11(char *src, int off, int ssize, int dsize, uint32_t base, uint32_t va

 		/* XXX */

 		loc_ss -= (f1+4-lesi);

-		loc_ds -= (f2-ledi);

-		ledi = src + (cli_readint32(f1) - vma);

 		lesi = f1+4;

+		ledi = src + (cli_readint32(f1) - vma);

+		loc_ds = size_sum - (cli_readint32(f1) - vma);

+

 		if (!uselzma)

 		{

 			uint32_t val = PESALIGN(f2 - src, 0x1000);

@@ -811,6 +811,18 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    }

 	}

+	if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {

+	    cli_dbgmsg("Found PE values with sign bit set\n");

+	    free(section_hdr);

+	    free(exe_sections);

+	    if(DETECT_BROKEN) {

+	        if(ctx->virname)

+		    *ctx->virname = "Broken.Executable";

+		return CL_VIRUS;

+	    }

+	    return CL_CLEAN;

+	}

+

 	if(!i) {

 	    if (DETECT_BROKEN && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */

 	        cli_dbgmsg("First section is in the wrong place\n");

@@ -1533,6 +1533,7 @@ static int cli_scanembpe(int desc, cli_ctx *ctx)

 	return CL_EFSYNC;

     }

+    ctx->recursion++;

     lseek(fd, 0, SEEK_SET);

     if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS) {

 	cli_dbgmsg("cli_scanembpe: Infected with %s\n", *ctx->virname);

@@ -1542,6 +1543,7 @@ static int cli_scanembpe(int desc, cli_ctx *ctx)

 	free(tmpname);	

 	return CL_VIRUS;

     }

+    ctx->recursion--;

     close(fd);

     if(!cli_leavetemps_flag)

@@ -226,6 +226,10 @@ static int make_table(arj_decode_t *decode_data, int nchar, unsigned char *bitle

 		count[i] = 0;

 	}

 	for (i = 0; (int)i < nchar; i++) {

+		if (bitlen[i] >= 17) {

+			cli_dbgmsg("UNARJ: bounds exceeded\n");

+			return CL_EARJ;

+		}

 		count[bitlen[i]]++;

 	}

@@ -238,6 +242,10 @@ static int make_table(arj_decode_t *decode_data, int nchar, unsigned char *bitle

 	}

 	jutbits = 16 - tablebits;

+	if (tablebits >= 17) {

+		cli_dbgmsg("UNARJ: bounds exceeded\n");

+		return CL_EARJ;

+	}

 	for (i = 1; (int)i <= tablebits; i++) {

 		start[i] >>= jutbits;

 		weight[i] = 1 << (tablebits - i);

@@ -251,6 +259,10 @@ static int make_table(arj_decode_t *decode_data, int nchar, unsigned char *bitle

 	if (i != (unsigned short) (1 << 16)) {

 		k = 1 << tablebits;

 		while (i != k) {

+			if (i >= tablesize) {

+				cli_dbgmsg("UNARJ: bounds exceeded\n");

+				return CL_EARJ;

+			}

 			table[i++] = 0;

 		}

 	}

@@ -261,6 +273,10 @@ static int make_table(arj_decode_t *decode_data, int nchar, unsigned char *bitle

 		if ((len = bitlen[ch]) == 0) {

 			continue;

 		}

+		if (len >= 17) {

+			cli_dbgmsg("UNARJ: bounds exceeded\n");

+			return CL_EARJ;

+		}

 		k = start[len];

 		nextcode = k + weight[len];

 		if ((int)len <= tablebits) {

@@ -275,9 +291,17 @@ static int make_table(arj_decode_t *decode_data, int nchar, unsigned char *bitle

 			i = len - tablebits;

 			while (i != 0) {

 				if (*p == 0) {

+					if (avail >= (2 * NC - 1)) {

+						cli_dbgmsg("UNARJ: bounds exceeded\n");

+						return CL_EARJ;

+					}

 					decode_data->right[avail] = decode_data->left[avail] = 0;

 					*p = avail++;

 				}

+				if (*p >= (2 * NC - 1)) {

+					cli_dbgmsg("UNARJ: bounds exceeded\n");

+					return CL_EARJ;

+				}

 				if (k & mask) {

 					p = &decode_data->right[*p];

 				} else {

@@ -301,6 +325,10 @@ static void read_pt_len(arj_decode_t *decode_data, int nn, int nbit, int i_speci

 	n = arj_getbits(decode_data, nbit);

 	if (n == 0) {

+		if (nn > NPT) {

+			cli_dbgmsg("UNARJ: bounds exceeded\n");

+			return;

+		}

 		c = arj_getbits(decode_data, nbit);

 		for (i = 0; i < nn; i++) {

 			decode_data->pt_len[i] = 0;

@@ -368,6 +396,10 @@ static int read_c_len(arj_decode_t *decode_data)

 					mask >>= 1;

 				} while (c >= NT);

 			}

+			if (c >= 19) {

+				cli_dbgmsg("UNARJ: bounds exceeded\n");

+				return CL_EARJ;

+			}

 			fill_buf(decode_data, (int)(decode_data->pt_len[c]));

 			if (c <= 2) {

 				if (c == 0) {

@@ -752,7 +752,7 @@ ppt_unlzw(const char *dir, int fd, uint32_t length)

 		}

 	} while(inflate(&stream, Z_NO_FLUSH) == Z_OK);

-	if (cli_writen(ofd, outbuff, bufflen) != (int)bufflen) {

+	if (cli_writen(ofd, outbuff, PPT_LZW_BUFFSIZE-stream.avail_out) != (int)PPT_LZW_BUFFSIZE-stream.avail_out) {

 		close(ofd);

 		inflateEnd(&stream);

 		return FALSE;