1. clamav-devel
  2. Commit f2fbfba7473e4dc693350b54d6299f5a68b8014e
Browse code

bb#3062

aCaB authored on 2011/11/04 08:55:54
Showing 2 changed files
ChangeLog
History View file @ f2fbfba
... ... 
@@ -1,3 +1,8 @@
1 
+Fri Nov  4 00:52:21 CET 2011 (acab)
2 
+-----------------------------------
3 
+ * libclamav/pe.c: parse vinfo where varfileinfo occours before stringfileinfo
4 
+		   (bb#3062)
5 
+
1 6 
 Fri Mar  2 19:48:36 CET 2012 (tk)
2 7 
 ---------------------------------
3 8 
  * clamd: add support for on-access scanning on OS X with ClamAuth (beta)
libclamav/pe.c
History View file @ f2fbfba
... ... 
@@ -2506,7 +2506,7 @@ int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo)
2506 2506 
 		continue;
2507 2507
2508 2508 
 	    while(res_sz>4) { /* look for version_info - NOT RESUMABLE (expecting exactly one versioninfo) */
2509 
-		uint32_t vinfo_sz, vinfo_val_sz;
2509 
+		uint32_t vinfo_sz, vinfo_val_sz, got_varfileinfo = 0;
2510 2510
2511 2511 
 		vinfo_sz = vinfo_val_sz = cli_readint32(vptr);
2512 2512 
 		vinfo_sz &= 0xffff;
... ... 
@@ -2535,7 +2535,14 @@ int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo)
2535 2535 
 		    if(sfi_sz > vinfo_sz)
2536 2536 
 			break; /* the content is larger than the container */
2537 2537
2538 
-		    /* expecting stringfileinfo to always precede varfileinfo */
2538 
+		    if(!got_varfileinfo && sfi_sz > 6 + 0x18 && !memcmp(vptr+6, "V\0a\0r\0F\0i\0l\0e\0I\0n\0f\0o\0\0\0", 0x18)) {
2539 
+			/* skip varfileinfo as it sometimes appear before stringtableinfo */
2540 
+			vptr += sfi_sz;
2541 
+			vinfo_sz -= sfi_sz;
2542 
+			got_varfileinfo = 1;
2543 
+			continue;
2544 
+		    }
2545 
+
2539 2546 
 		    if(sfi_sz <= 6 + 0x1e || memcmp(vptr+6, "S\0t\0r\0i\0n\0g\0F\0i\0l\0e\0I\0n\0f\0o\0\0\0", 0x1e)) {
2540 2547 
 			/* - there should be enough room for the header(6) and the key "StringFileInfo"(1e)
2541 2548 
 			 * - the key should match */