@@ -1,3 +1,12 @@

+Sat Apr 28 19:51:22 CEST 2007 (tk)

+----------------------------------

+  * libclamav: new implementation of the Aho-Corasick pattern matcher:

+	       - remove static depth limitation

+	       - optimize memory usage

+	       - min/max depth can be set on per-tree basis

+	       - use higher max-depth by default (3)

+	       - much better detection of wildcarded sigs

+

 Tue Apr 24 13:48:04 BST 2007 (njh)

 ----------------------------------

   * libclamav/mbox.c:	Bug 366

@@ -381,13 +381,12 @@ int cli_addtypesigs(struct cl_engine *engine)

 	    return CL_EMEM;

 	}

-	root->ac_root =  (struct cli_ac_node *) cli_calloc(1, sizeof(struct cli_ac_node));

-	if(!root->ac_root) {

-	    cli_errmsg("cli_addtypesigs: Can't initialise AC pattern matcher\n");

+	if((ret = cli_ac_init(root, AC_DEFAULT_MIN_DEPTH, AC_DEFAULT_MAX_DEPTH))) {

 	    /* No need to free previously allocated memory here - all engine

 	     * elements will be properly freed by cl_free()

 	     */

-	    return CL_EMEM;

+	    cli_errmsg("cli_addtypesigs: Can't initialise AC pattern matcher\n");

+	    return ret;

 	}

     } else {

 	root = engine->root[0];

@@ -1,9 +1,4 @@

 /*

- *  C implementation of the Aho-Corasick pattern matching algorithm. It's based

- *  on the ScannerDaemon's version (coded in Java) by Kurt Huwig and

- *  http://www-sr.informatik.uni-tuebingen.de/~buehler/AC/AC.html

- *  Thanks to Kurt Huwig for pointing me to this page.

- *

  *  Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm@clamav.net>

  *

  *  This program is free software; you can redistribute it and/or modify

@@ -38,89 +33,130 @@

 #include "matcher-ac.h"

 #include "filetypes.h"

 #include "cltypes.h"

+#include "str.h"

-struct nodelist {

-    struct cli_ac_node *node;

-    struct nodelist *next;

-};

-

-static uint8_t ac_depth = AC_DEFAULT_DEPTH;

 int cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern)

 {

-	struct cli_ac_node *pos, *next;

+	struct cli_ac_node *pt, *next;

 	uint8_t i;

+	uint16_t len = MIN(root->ac_maxdepth, pattern->length);

-    if(pattern->length < ac_depth)

+

+    for(i = 0; i < len; i++) {

+	if(pattern->pattern[i] & CLI_MATCH_WILDCARD) {

+	    len = i;

+	    break;

+	}

+    }

+

+    if(len < root->ac_mindepth)

 	return CL_EPATSHORT;

-    pos = root->ac_root;

+    pt = root->ac_root;

+

+    for(i = 0; i < len; i++) {

+	if(!pt->trans) {

+	    pt->trans = (struct cli_ac_node **) cli_calloc(256, sizeof(struct cli_ac_node *));

+	    if(!pt->trans) {

+		cli_errmsg("cli_ac_addpatt: Can't allocate memory for pt->trans\n");

+		return CL_EMEM;

+	    }

+	}

-    for(i = 0; i < ac_depth; i++) {

-	next = pos->trans[(unsigned char) (pattern->pattern[i] & 0xff)]; 

+	next = pt->trans[(unsigned char) (pattern->pattern[i] & 0xff)]; 

 	if(!next) {

 	    next = (struct cli_ac_node *) cli_calloc(1, sizeof(struct cli_ac_node));

 	    if(!next) {

-		cli_errmsg("cli_ac_addpatt(): Unable to allocate AC node (%u bytes)\n", sizeof(struct cli_ac_node));

+		cli_errmsg("cli_ac_addpatt: Can't allocate memory for AC node\n");

 		return CL_EMEM;

 	    }

+	    if(i != len - 1) {

+		next->trans = (struct cli_ac_node **) cli_calloc(256, sizeof(struct cli_ac_node *));

+		if(!next->trans) {

+		    cli_errmsg("cli_ac_addpatt: Can't allocate memory for next->trans\n");

+		    free(next);

+		    return CL_EMEM;

+		}

+	    } else {

+		next->leaf = 1;

+	    }

+

 	    root->ac_nodes++;

-	    root->ac_nodetable = (struct cli_ac_node **) cli_realloc(root->ac_nodetable, (root->ac_nodes) * sizeof(struct cli_ac_node *));

-	    if(root->ac_nodetable == NULL) {

-		cli_errmsg("cli_ac_addpatt(): Unable to realloc nodetable (%u bytes)\n", (root->ac_nodes) * sizeof(struct cli_matcher *));

+	    root->ac_nodetable = (struct cli_ac_node **) cli_realloc(root->ac_nodetable, root->ac_nodes * sizeof(struct cli_ac_node *));

+	    if(!root->ac_nodetable) {

+		cli_errmsg("cli_ac_addpatt: Can't realloc ac_nodetable\n");

+		if(next->trans)

+		    free(next->trans);

+		free(next);

 		return CL_EMEM;

 	    }

 	    root->ac_nodetable[root->ac_nodes - 1] = next;

-	    pos->trans[((unsigned char) pattern->pattern[i]) & 0xff] = next;

+	    pt->trans[(unsigned char) (pattern->pattern[i] & 0xff)] = next;

+	    pt->leaf = 0;

 	}

-	pos = next;

+	pt = next;

     }

-    pos->islast = 1;

+    root->ac_patterns++;

+    root->ac_pattable = (struct cli_ac_patt **) cli_realloc(root->ac_pattable, root->ac_patterns * sizeof(struct cli_ac_patt *));

+    if(!root->ac_pattable) {

+	cli_errmsg("cli_ac_addpatt: Can't realloc ac_pattable\n");

+	return CL_EMEM;

+    }

+    root->ac_pattable[root->ac_patterns - 1] = pattern;

-    pattern->next = pos->list;

-    pos->list = pattern;

+    pt->final = 1;

+    pattern->depth = i;

+    pattern->next = pt->list;

+    pt->list = pattern;

     return CL_SUCCESS;

 }

-static int cli_enqueue(struct nodelist **bfs, struct cli_ac_node *n)

+struct bfs_list {

+    struct cli_ac_node *node;

+    struct bfs_list *next;

+};

+

+static int bfs_enqueue(struct bfs_list **bfs, struct cli_ac_node *n)

 {

-	struct nodelist *new;

+	struct bfs_list *new;

+

-    new = (struct nodelist *) cli_calloc(1, sizeof(struct nodelist));

-    if (new == NULL) {

-	cli_errmsg("cli_enqueue(): Unable to allocate node list (%u bytes)\n", sizeof(struct nodelist));

+    new = (struct bfs_list *) cli_malloc(sizeof(struct bfs_list));

+    if(!new) {

+	cli_errmsg("bfs_enqueue: Can't allocate memory for bfs_list\n");

 	return CL_EMEM;

     }

-

     new->next = *bfs;

     new->node = n;

     *bfs = new;

+

     return CL_SUCCESS;

 }

-static struct cli_ac_node *cli_dequeue(struct nodelist **bfs)

+static struct cli_ac_node *bfs_dequeue(struct bfs_list **bfs)

 {

-	struct nodelist *handler, *prev = NULL;

+	struct bfs_list *lpt, *prev = NULL;

 	struct cli_ac_node *pt;

-    handler = *bfs;

-    while(handler && handler->next) {

-	prev = handler;

-	handler = handler->next;

+    lpt = *bfs;

+    while(lpt && lpt->next) {

+	prev = lpt;

+	lpt = lpt->next;

     }

-    if(!handler) {

+    if(!lpt) {

 	return NULL;

     } else {

-	pt = handler->node;

-	free(handler);

+	pt = lpt->node;

+	free(lpt);

 	if(prev)

 	    prev->next = NULL;

 	else

@@ -130,183 +166,192 @@ static struct cli_ac_node *cli_dequeue(struct nodelist **bfs)

     }

 }

-static int cli_maketrans(struct cli_matcher *root)

+static int ac_maketrans(struct cli_matcher *root)

 {

-	struct nodelist *bfs = NULL;

-	struct cli_ac_node *ac_root = root->ac_root, *child, *node;

+	struct bfs_list *bfs = NULL;

+	struct cli_ac_node *ac_root = root->ac_root, *child, *node, *fail;

+	struct cli_ac_patt *patt;

 	int i, ret;

-    ac_root->fail = NULL;

-    if((ret = cli_enqueue(&bfs, ac_root)) != 0) {

-	return ret;

+    for(i = 0; i < 256; i++) {

+	node = ac_root->trans[i];

+	if(!node) {

+	    ac_root->trans[i] = ac_root;

+	} else {

+	    node->fail = ac_root;

+	    if((ret = bfs_enqueue(&bfs, node)))

+		return ret;

+	}

     }

-    while((node = cli_dequeue(&bfs))) {

-	if(node->islast)

+    while((node = bfs_dequeue(&bfs))) {

+	if(node->leaf)

 	    continue;

 	for(i = 0; i < 256; i++) {

 	    child = node->trans[i];

-	    if(!child) {

-		if(node->fail)

-		    node->trans[i] = (node->fail)->trans[i];

-		else

-		    node->trans[i] = ac_root;

-	    } else {

-		if(node->fail)

-		    child->fail = (node->fail)->trans[i];

-		else

-		    child->fail = ac_root;

+	    if(child) {

+		fail = node->fail;

+		while(fail->leaf || !fail->trans[i])

+		    fail = fail->fail;

-		if((ret = cli_enqueue(&bfs, child)) != 0) {

-		    return ret;

+		child->fail = fail->trans[i];

+

+		if(child->list) {

+		    patt = child->list;

+		    while(patt->next)

+			patt = patt->next;

+

+		    patt->next = child->fail->list;

+		} else {

+		    child->list = child->fail->list;

 		}

+

+		if(child->list)

+		    child->final = 1;

+

+		if((ret = bfs_enqueue(&bfs, child)) != 0)

+		    return ret;

 	    }

 	}

     }

+

     return CL_SUCCESS;

 }

 int cli_ac_buildtrie(struct cli_matcher *root)

 {

-

     if(!root)

 	return CL_EMALFDB;

     if(!root->ac_root) {

-	cli_dbgmsg("cli_ac_buildtrie(): AC pattern matcher is not initialised\n");

+	cli_dbgmsg("cli_ac_buildtrie: AC pattern matcher is not initialised\n");

 	return CL_SUCCESS;

     }

-    return cli_maketrans(root);

+    return ac_maketrans(root);

 }

-static void cli_freepatt(struct cli_ac_patt *list)

+int cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth)

 {

-	struct cli_ac_patt *handler, *prev;

-	int i;

-

-    handler = list;

+    root->ac_root = (struct cli_ac_node *) cli_calloc(1, sizeof(struct cli_ac_node));

+    if(!root->ac_root) {

+	cli_errmsg("cli_ac_init: Can't allocate memory for ac_root\n");

+	return CL_EMEM;

+    }

-    while(handler) {

-	if(handler->prefix)

-	    free(handler->prefix);

-	else

-	    free(handler->pattern);

-	free(handler->virname);

-	if(handler->offset)

-	    free(handler->offset);

-	if(handler->alt) {

-	    free(handler->altn);

-	    for(i = 0; i < handler->alt; i++)

-		free(handler->altc[i]);

-	    free(handler->altc);

-	}

-	prev = handler;

-	handler = handler->next;

-	free(prev);

+    root->ac_root->trans = (struct cli_ac_node **) cli_calloc(256, sizeof(struct cli_ac_node *));

+    if(!root->ac_root->trans) {

+	cli_errmsg("cli_ac_init: Can't allocate memory for ac_root->trans\n");

+	free(root->ac_root);

+	return CL_EMEM;

     }

+

+    root->ac_mindepth = mindepth;

+    root->ac_maxdepth = maxdepth;

+

+    return CL_SUCCESS;

 }

 void cli_ac_free(struct cli_matcher *root)

 {

-	unsigned int i;

+	uint32_t i, j;

+	struct cli_ac_patt *patt;

+    for(i = 0; i < root->ac_patterns; i++) {

+	patt = root->ac_pattable[i];

+

+	if(patt->prefix)

+	    free(patt->prefix);

+	else

+	    free(patt->pattern);

+	free(patt->virname);

+	if(patt->offset)

+	    free(patt->offset);

+	if(patt->alt) {

+	    free(patt->altn);

+	    for(j = 0; j < patt->alt; j++)

+		free(patt->altc[j]);

+	    free(patt->altc);

+	}

+	free(patt);

+    }

+    if(root->ac_pattable)

+	free(root->ac_pattable);

+

     for(i = 0; i < root->ac_nodes; i++) {

-	cli_freepatt(root->ac_nodetable[i]->list);

+	if(!root->ac_nodetable[i]->leaf)

+	    free(root->ac_nodetable[i]->trans);

 	free(root->ac_nodetable[i]);

     }

     if(root->ac_nodetable)

 	free(root->ac_nodetable);

-    if(root->ac_root)

+    if(root->ac_root) {

+	free(root->ac_root->trans);

 	free(root->ac_root);

+    }

 }

-inline static int cli_findpos(const unsigned char *buffer, unsigned int depth, unsigned int offset, unsigned int length, const struct cli_ac_patt *pattern)

+#define AC_MATCH_CHAR(p,b)						\

+    switch(wc = p & CLI_MATCH_WILDCARD) {				\

+	case CLI_MATCH_ALTERNATIVE:					\

+	    found = 0;							\

+	    for(j = 0; j < pattern->altn[alt]; j++) {			\

+		if(pattern->altc[alt][j] == b) {			\

+		    found = 1;						\

+		    break;						\

+		}							\

+	    }								\

+	    if(!found)							\

+		return 0;						\

+	    alt++;							\

+	    break;							\

+									\

+	case CLI_MATCH_NIBBLE_HIGH:					\

+	    if((unsigned char) (p & 0x00f0) != (b & 0xf0))		\

+		return 0;						\

+	    break;							\

+									\

+	case CLI_MATCH_NIBBLE_LOW:					\

+	    if((unsigned char) (p & 0x000f) != (b & 0x0f))		\

+		return 0;						\

+	    break;							\

+									\

+	default:							\

+	    if(wc != CLI_MATCH_IGNORE && (unsigned char) p != b)	\

+		return 0;						\

+    }

+

+inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uint32_t length, const struct cli_ac_patt *pattern)

 {

-	unsigned int bufferpos = offset + depth;

-	unsigned int postfixend = offset + length;

-	unsigned int i, j, alt = pattern->alt_pattern, found;

+	uint32_t bp;

+	uint16_t wc, i, j, alt = pattern->alt_pattern;

+	uint8_t found;

     if(pattern->prefix)

 	if(pattern->prefix_length > offset)

 	    return 0;

-    if(bufferpos >= length)

-	bufferpos %= length;

-

-    for(i = depth; i < pattern->length; i++) {

-

-	if(bufferpos == postfixend)

-	    return 0;

-

-	if((pattern->pattern[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_ALTERNATIVE) {

-	    found = 0;

-	    for(j = 0; j < pattern->altn[alt]; j++) {

-		if(pattern->altc[alt][j] == buffer[bufferpos]) {

-		    found = 1;

-		    break;

-		}

-	    }

-

-	    if(!found)

-		return 0;

-	    alt++;

-

-	} else if((pattern->pattern[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_NIBBLE_HIGH) {

-	    if((unsigned char) (pattern->pattern[i] & 0x00f0) != (buffer[bufferpos] & 0xf0))

-		return 0;

-

-	} else if((pattern->pattern[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_NIBBLE_LOW) {

-	    if((unsigned char) (pattern->pattern[i] & 0x000f) != (buffer[bufferpos] & 0x0f))

-		return 0;

-

-	} else if((pattern->pattern[i] & CLI_MATCH_WILDCARD) != CLI_MATCH_IGNORE && (unsigned char) pattern->pattern[i] != buffer[bufferpos])

-	    return 0;

-

-	bufferpos++;

+    bp = offset + pattern->depth;

-	if(bufferpos == length)

-	    bufferpos = 0;

+    for(i = pattern->depth; i < pattern->length; i++) {

+	AC_MATCH_CHAR(pattern->pattern[i],buffer[bp]);

+	bp++;

     }

     if(pattern->prefix) {

 	alt = 0;

-	bufferpos = offset - pattern->prefix_length;

+	bp = offset - pattern->prefix_length;

 	for(i = 0; i < pattern->prefix_length; i++) {

-

-	    if((pattern->prefix[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_ALTERNATIVE) {

-		found = 0;

-		for(j = 0; j < pattern->altn[alt]; j++) {

-		    if(pattern->altc[alt][j] == buffer[bufferpos]) {

-			found = 1;

-			break;

-		    }

-		}

-

-		if(!found)

-		    return 0;

-		alt++;

-

-	    } else if((pattern->prefix[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_NIBBLE_HIGH) {

-		if((unsigned char) (pattern->prefix[i] & 0x00f0) != (buffer[bufferpos] & 0xf0))

-		    return 0;

-

-	    } else if((pattern->prefix[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_NIBBLE_LOW) {

-		if((unsigned char) (pattern->prefix[i] & 0x000f) != (buffer[bufferpos] & 0x0f))

-		    return 0;

-

-	    } else if(!(pattern->prefix[i] & CLI_MATCH_IGNORE) && (unsigned char) pattern->prefix[i] != buffer[bufferpos])

-		return 0;

-

-	    bufferpos++;

+	    AC_MATCH_CHAR(pattern->prefix[i],buffer[bp]);

+	    bp++;

 	}

     }

@@ -315,11 +360,9 @@ inline static int cli_findpos(const unsigned char *buffer, unsigned int depth, u

 int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint8_t tracklen)

 {

-	unsigned int i, j;

-

     if(!data) {

-	cli_errmsg("cli_ac_init(): data == NULL\n");

+	cli_errmsg("cli_ac_init: data == NULL\n");

 	return CL_ENULLARG;

     }

@@ -328,126 +371,77 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint8_t trackle

     if(!partsigs)

 	return CL_SUCCESS;

-    data->inioff = (off_t *) cli_malloc(partsigs * sizeof(off_t));

-    if(!data->inioff) {

-	cli_errmsg("cli_ac_init(): unable to cli_malloc(%u)\n", partsigs * sizeof(off_t));

-	return CL_EMEM;

-    }

-    memset(data->inioff, -1, partsigs * sizeof(off_t));

-

-    data->partcnt = (uint16_t *) cli_calloc(partsigs, sizeof(uint16_t));

-

-    if(!data->partcnt) {

-	cli_errmsg("cli_ac_init(): unable to cli_calloc(%u, %u)\n", partsigs, sizeof(unsigned int));

-	free(data->inioff);

+    data->offmatrix = (int32_t ***) cli_calloc(partsigs, sizeof(int32_t **));

+    if(!data->offmatrix) {

+	cli_errmsg("cli_ac_init: Can't allocate memory for data->offmatrix\n");

 	return CL_EMEM;

     }

-    data->offcnt = (uint8_t *) cli_calloc(partsigs, sizeof(uint8_t));

+    return CL_SUCCESS;

+}

-    if(!data->offcnt) {

-	cli_errmsg("cli_ac_init(): unable to cli_calloc(%u, %u)\n", partsigs, sizeof(uint8_t));

-	free(data->inioff);

-	free(data->partcnt);

-	return CL_EMEM;

-    }

+void cli_ac_freedata(struct cli_ac_data *data)

+{

+	uint32_t i;

-    data->offidx = (uint8_t *) cli_calloc(partsigs, sizeof(uint8_t));

-    if(!data->offidx) {

-	cli_errmsg("cli_ac_init(): unable to cli_calloc(%u, %u)\n", partsigs, sizeof(uint8_t));

-	free(data->inioff);

-	free(data->partcnt);

-	free(data->offcnt);

-	return CL_EMEM;

+    if(data && data->partsigs) {

+	for(i = 0; i < data->partsigs; i++) {

+	    if(data->offmatrix[i]) {

+		free(data->offmatrix[i][0]);

+		free(data->offmatrix[i]);

+	    }

+	}

+	free(data->offmatrix);

     }

+}

-    data->maxshift = (int32_t *) cli_malloc(partsigs * sizeof(int32_t));

-

-    if(!data->maxshift) {

-	cli_errmsg("cli_ac_init(): unable to cli_malloc(%u)\n", partsigs * sizeof(int));

-	free(data->inioff);

-	free(data->partcnt);

-	free(data->offcnt);

-	free(data->offidx);

-	return CL_EMEM;

-    }

+inline static int ac_addtype(struct cli_matched_type **list, cli_file_t type, off_t offset)

+{

+	struct cli_matched_type *tnode, *tnode_last;

-    memset(data->maxshift, -1, partsigs * sizeof(int32_t));

-    data->partoff = (uint32_t **) cli_calloc(partsigs, sizeof(uint32_t *));

+    if(*list && (*list)->cnt >= MAX_EMBEDDED_OBJ)

+	return CL_SUCCESS;

-    if(!data->partoff) {

-	cli_errmsg("cli_ac_init(): unable to cli_calloc(%u, %u)\n", partsigs, sizeof(unsigned int));

-	free(data->inioff);

-	free(data->partcnt);

-	free(data->offcnt);

-	free(data->offidx);

-	free(data->maxshift);

+    if(!(tnode = cli_calloc(1, sizeof(struct cli_matched_type)))) {

+	cli_errmsg("cli_ac_addtype: Can't allocate memory for new type node\n");

 	return CL_EMEM;

     }

-    /* The number of multipart signatures is rather small so we already

-     * allocate the memory for all parts here instead of using a runtime

-     * allocation in cli_ac_scanbuff()

-     */

+    tnode->type = type;

+    tnode->offset = offset;

-    for(i = 0; i < partsigs; i++) {

-	data->partoff[i] = (uint32_t *) cli_calloc(tracklen, sizeof(uint32_t));

+    tnode_last = *list;

+    while(tnode_last && tnode_last->next)

+	tnode_last = tnode_last->next;

-	if(!data->partoff[i]) {

-	    for(j = 0; j < i; j++)

-		free(data->partoff[j]);

-

-	    free(data->partoff);

-	    free(data->inioff);

-	    free(data->partcnt);

-	    free(data->offcnt);

-	    free(data->offidx);

-	    free(data->maxshift);

-	    cli_errmsg("cli_ac_init(): unable to cli_calloc(%u, %u)\n", tracklen, sizeof(unsigned int));

-	    return CL_EMEM;

-	}

-    }

+    if(tnode_last)

+	tnode_last->next = tnode;

+    else

+	*list = tnode;

+    (*list)->cnt++;

     return CL_SUCCESS;

 }

-void cli_ac_freedata(struct cli_ac_data *data)

-{

-	unsigned int i;

-

-

-    if(data && data->partsigs) {

-	free(data->inioff);

-	free(data->partcnt);

-	free(data->offcnt);

-	free(data->offidx);

-	free(data->maxshift);

-

-	for(i = 0; i < data->partsigs; i++)

-	    free(data->partoff[i]);

-

-	free(data->partoff);

-    }

-}

-

 int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, const struct cli_matcher *root, struct cli_ac_data *mdata, uint8_t otfrec, uint32_t offset, cli_file_t ftype, int fd, struct cli_matched_type **ftoffset)

 {

 	struct cli_ac_node *current;

 	struct cli_ac_patt *pt;

-	int type = CL_CLEAN, j;

-        uint32_t i, position, curroff;

-	uint8_t offnum, found;

-	struct cli_matched_type *tnode, *tnode_last = NULL;

+        uint32_t i, bp, realoff;

+	uint16_t j;

+	int32_t **offmatrix;

+	uint8_t found;

 	struct cli_target_info info;

+	int type = CL_CLEAN;

     if(!root->ac_root)

 	return CL_CLEAN;

     if(!mdata) {

-	cli_errmsg("cli_ac_scanbuff(): mdata == NULL\n");

+	cli_errmsg("cli_ac_scanbuff: mdata == NULL\n");

 	return CL_ENULLARG;

     }

@@ -455,18 +449,21 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

     current = root->ac_root;

     for(i = 0; i < length; i++)  {

-	current = current->trans[buffer[i] & 0xff];

-	if(current->islast) {

-	    position = i - ac_depth + 1;

+	while(current->leaf || !current->trans[buffer[i]])

+	    current = current->fail;

+	current = current->trans[buffer[i]];

+

+	if(current->final) {

 	    pt = current->list;

 	    while(pt) {

-		if(cli_findpos(buffer, ac_depth, position, length, pt)) {

-		    curroff = offset + position - pt->prefix_length;

+		bp = i + 1 - pt->depth;

+		if(ac_findmatch(buffer, bp, length, pt)) {

+		    realoff = offset + bp - pt->prefix_length;

 		    if((pt->offset || pt->target) && (!pt->sigid || pt->partno == 1)) {

-			if((fd == -1 && !ftype) || !cli_validatesig(ftype, pt->offset, curroff, &info, fd, pt->virname)) {

+			if((fd == -1 && !ftype) || !cli_validatesig(ftype, pt->offset, realoff, &info, fd, pt->virname)) {

 			    pt = pt->next;

 			    continue;

 			}

@@ -474,100 +471,85 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 		    if(pt->sigid) { /* it's a partial signature */

-			if(pt->partno == 1)

-			    mdata->inioff[pt->sigid - 1] = curroff;

-

-			if(mdata->partcnt[pt->sigid - 1] + 1 == pt->partno) {

-			    offnum = mdata->offcnt[pt->sigid - 1];

-			    if(offnum < AC_DEFAULT_TRACKLEN) {

-				mdata->partoff[pt->sigid - 1][offnum] = curroff + pt->length;

-

-				if(mdata->maxshift[pt->sigid - 1] == -1 || ((int) (mdata->partoff[pt->sigid - 1][offnum] - mdata->partoff[pt->sigid - 1][0]) <= mdata->maxshift[pt->sigid - 1]))

-				    mdata->offcnt[pt->sigid - 1]++;

-			    } else {

-				if(mdata->maxshift[pt->sigid - 1] == -1 || ((int) (curroff + pt->length - mdata->partoff[pt->sigid - 1][0]) <= mdata->maxshift[pt->sigid - 1])) {

-				    if(!(mdata->offidx[pt->sigid - 1] %= AC_DEFAULT_TRACKLEN))

-					mdata->offidx[pt->sigid - 1]++;

+			if(!mdata->offmatrix[pt->sigid - 1]) {

+			    mdata->offmatrix[pt->sigid - 1] = cli_malloc(pt->parts * sizeof(int32_t *));

+			    if(!mdata->offmatrix[pt->sigid - 1]) {

+				cli_errmsg("cli_ac_scanbuff: Can't allocate memory for mdata->offmatrix[%u]\n", pt->sigid - 1);

+				return CL_EMEM;

+			    }

-				    mdata->partoff[pt->sigid - 1][mdata->offidx[pt->sigid - 1]] = curroff + pt->length;

-				    mdata->offidx[pt->sigid - 1]++;

-				}

+			    mdata->offmatrix[pt->sigid - 1][0] = cli_malloc(pt->parts * (AC_DEFAULT_TRACKLEN + 1) * sizeof(int32_t));

+			    if(!mdata->offmatrix[pt->sigid - 1][0]) {

+				cli_errmsg("cli_ac_scanbuff: Can't allocate memory for mdata->offmatrix[%u][0]\n", pt->sigid - 1);

+				free(mdata->offmatrix[pt->sigid - 1]);

+				mdata->offmatrix[pt->sigid - 1] = NULL;

+				return CL_EMEM;

+			    }

+			    memset(mdata->offmatrix[pt->sigid - 1][0], -1, pt->parts * (AC_DEFAULT_TRACKLEN + 1) * sizeof(int32_t));

+			    mdata->offmatrix[pt->sigid - 1][0][0] = 0;

+			    for(j = 1; j < pt->parts; j++) {

+				mdata->offmatrix[pt->sigid - 1][j] = mdata->offmatrix[pt->sigid - 1][0] + j * (AC_DEFAULT_TRACKLEN + 1);

+				 mdata->offmatrix[pt->sigid - 1][j][0] = 0;

 			    }

+			}

+			offmatrix = mdata->offmatrix[pt->sigid - 1];

-			} else if(mdata->partcnt[pt->sigid - 1] + 2 == pt->partno) {

+			if(pt->partno != 1) {

 			    found = 0;

-			    for(j = mdata->offcnt[pt->sigid - 1] - 1; j >= 0; j--) {

+			    for(j = 1; j <= AC_DEFAULT_TRACKLEN && offmatrix[pt->partno - 2][j] != -1; j++) {

 				found = 1;

 				if(pt->maxdist)

-				    if(curroff - mdata->partoff[pt->sigid - 1][j] > pt->maxdist)

+				    if(realoff - offmatrix[pt->partno - 2][j] > pt->maxdist)

 					found = 0;

 				if(found && pt->mindist)

-				    if(curroff - mdata->partoff[pt->sigid - 1][j] < pt->mindist)

+				    if(realoff - offmatrix[pt->partno - 2][j] < pt->mindist)

 					found = 0;

 				if(found)

 				    break;

 			    }

+			}

-			    if(found) {

-				if(pt->maxdist)

-				    mdata->maxshift[pt->sigid - 1] = mdata->partoff[pt->sigid - 1][j] + pt->maxdist - curroff;

-				else

-				    mdata->maxshift[pt->sigid - 1] = -1;

-

-				mdata->partoff[pt->sigid - 1][0] = curroff + pt->length;

-				mdata->offcnt[pt->sigid - 1] = 1;

-

-				if(++mdata->partcnt[pt->sigid - 1] + 1 == pt->parts) {

-				    if(pt->type) {

-					if(otfrec) {

-					    if(pt->type > type || pt->type >= CL_TYPE_SFX || pt->type == CL_TYPE_MSEXE) {

-						cli_dbgmsg("Matched signature for file type %s at %u\n", pt->virname, (unsigned int) mdata->inioff[pt->sigid - 1]);

-						mdata->offcnt[pt->sigid - 1] = 0;

-						mdata->offidx[pt->sigid - 1] = 0;

-						mdata->partcnt[pt->sigid - 1] = 0;

-						mdata->maxshift[pt->sigid - 1] = -1;

-

-						type = pt->type;

-						if(ftoffset && (!*ftoffset || (*ftoffset)->cnt < MAX_EMBEDDED_OBJ) && ((ftype == CL_TYPE_MSEXE && type >= CL_TYPE_SFX) || ((ftype == CL_TYPE_MSEXE || ftype == CL_TYPE_ZIP) && type == CL_TYPE_MSEXE)))  {

-						    if(!(tnode = cli_calloc(1, sizeof(struct cli_matched_type)))) {

-							cli_errmsg("cli_ac_scanbuff(): Can't allocate memory for new type node\n");

-							if(info.exeinfo.section)

-							    free(info.exeinfo.section);

-							return CL_EMEM;

-						    }

-

-						    tnode->type = type;

-						    tnode->offset = mdata->inioff[pt->sigid - 1];

-

-						    if(*ftoffset && !tnode_last) {

-							tnode_last = *ftoffset;

-							while(tnode_last->next)

-							    tnode_last = tnode_last->next;

-						    }

-

-						    if(tnode_last) {

-							tnode_last->next = tnode;

-							tnode_last = tnode;

-						    } else {

-							*ftoffset = tnode;

-							tnode_last = tnode;

-						    }

-

-						    (*ftoffset)->cnt++;

+			if(pt->partno == 1 || (found && (pt->partno != pt->parts))) {

+			    offmatrix[pt->partno - 1][0] %= (AC_DEFAULT_TRACKLEN + 1);

+			    if(!offmatrix[pt->partno - 1][0])

+				offmatrix[pt->partno - 1][0]++;

+

+			    offmatrix[pt->partno - 1][offmatrix[pt->partno - 1][0]] = realoff + pt->length;

+			    if(pt->partno) /* save realoff for the first part */

+				offmatrix[pt->parts - 1][offmatrix[pt->partno - 1][0]] = realoff;

+			} else if(found && pt->partno == pt->parts) {

+			    if(pt->type) {

+				if(otfrec) {

+				    if(pt->type > type || pt->type >= CL_TYPE_SFX || pt->type == CL_TYPE_MSEXE) {

+					cli_dbgmsg("Matched signature for file type %s\n", pt->virname);

+					type = pt->type;

+					if(ftoffset && (!*ftoffset || (*ftoffset)->cnt < MAX_EMBEDDED_OBJ) && ((ftype == CL_TYPE_MSEXE && type >= CL_TYPE_SFX) || ((ftype == CL_TYPE_MSEXE || ftype == CL_TYPE_ZIP) && type == CL_TYPE_MSEXE)))  {

+					    /* FIXME: we don't know which offset of the first part is the correct one */

+					    for(j = 1; j <= AC_DEFAULT_TRACKLEN && offmatrix[0][j] != -1; j++) {

+						if(ac_addtype(ftoffset, type, offmatrix[pt->parts - 1][j])) {

+						    if(info.exeinfo.section)

+							free(info.exeinfo.section);

+						    return CL_EMEM;

 						}

 					    }

 					}

-				    } else {

-					if(virname)

-					    *virname = pt->virname;

-					if(info.exeinfo.section)

-					    free(info.exeinfo.section);

-					return CL_VIRUS;

+					memset(offmatrix[0], -1, pt->parts * (AC_DEFAULT_TRACKLEN + 1) * sizeof(int32_t));

+					for(j = 0; j < pt->parts; j++)

+					    offmatrix[j][0] = 0;

 				    }

 				}

+

+			    } else { /* !pt->type */

+				if(virname)

+				    *virname = pt->virname;

+

+				if(info.exeinfo.section)

+				    free(info.exeinfo.section);

+

+				return CL_VIRUS;

 			    }

 			}

@@ -575,33 +557,15 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v

 			if(pt->type) {