2011-03-28 20:25:40 +02:00
|
|
|
/*
|
2020-01-03 15:44:07 -05:00
|
|
|
* Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2013-01-15 15:42:31 -05:00
|
|
|
* Copyright (C) 2011-2013 Sourcefire, Inc.
|
2011-03-28 20:25:40 +02:00
|
|
|
*
|
|
|
|
|
* The code is based on Flasm, command line assembler & disassembler of Flash
|
|
|
|
|
* ActionScript bytecode Copyright (c) 2001 Opaque Industries, (c) 2002-2007
|
|
|
|
|
* Igor Kogan, (c) 2005 Wang Zhen. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without modification,
|
|
|
|
|
* are permitted provided that the following conditions are met:
|
|
|
|
|
*
|
|
|
|
|
* - Redistributions of source code must retain the above copyright notice, this list
|
|
|
|
|
* of conditions and the following disclaimer.
|
|
|
|
|
* - Redistributions in binary form must reproduce the above copyright notice, this
|
|
|
|
|
* list of conditions and the following disclaimer in the documentation and/or other
|
|
|
|
|
* materials provided with the distribution.
|
|
|
|
|
* - Neither the name of the Opaque Industries nor the names of its contributors may
|
|
|
|
|
* be used to endorse or promote products derived from this software without specific
|
|
|
|
|
* prior written permission.
|
|
|
|
|
*
|
2019-05-04 15:54:54 -04:00
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
|
|
|
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
|
|
|
|
|
* SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
|
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
|
|
|
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
|
2011-03-28 20:25:40 +02:00
|
|
|
* WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <sys/stat.h>
|
2018-12-03 12:40:13 -05:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2011-03-28 20:25:40 +02:00
|
|
|
#include <unistd.h>
|
|
|
|
|
#endif
|
|
|
|
|
#include <time.h>
|
|
|
|
|
#include <zlib.h>
|
|
|
|
|
|
|
|
|
|
#include "swf.h"
|
|
|
|
|
#include "clamav.h"
|
2011-04-06 15:53:28 +02:00
|
|
|
#include "scanners.h"
|
2015-04-28 17:28:23 -04:00
|
|
|
#include "lzma_iface.h"
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
#define EC16(v) le16_to_host(v)
|
|
|
|
|
#define EC32(v) le32_to_host(v)
|
|
|
|
|
|
|
|
|
|
#define INITBITS \
|
|
|
|
|
{ \
|
|
|
|
|
if (fmap_readn(map, &get_c, offset, sizeof(get_c)) == sizeof(get_c)) { \
|
|
|
|
|
bitpos = 8; \
|
|
|
|
|
bitbuf = (unsigned int)get_c; \
|
|
|
|
|
offset += sizeof(get_c); \
|
|
|
|
|
} else { \
|
|
|
|
|
cli_warnmsg("cli_scanswf: INITBITS: Can't read file or file truncated\n"); \
|
|
|
|
|
return CL_EFORMAT; \
|
|
|
|
|
} \
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
#define GETBITS(v, n) \
|
|
|
|
|
{ \
|
|
|
|
|
getbits_n = n; \
|
|
|
|
|
bits = 0; \
|
|
|
|
|
while (getbits_n > bitpos) { \
|
|
|
|
|
getbits_n -= bitpos; \
|
|
|
|
|
bits |= bitbuf << getbits_n; \
|
|
|
|
|
if (fmap_readn(map, &get_c, offset, sizeof(get_c)) == sizeof(get_c)) { \
|
|
|
|
|
bitbuf = (unsigned int)get_c; \
|
|
|
|
|
bitpos = 8; \
|
|
|
|
|
offset += sizeof(get_c); \
|
|
|
|
|
} else { \
|
|
|
|
|
cli_warnmsg("cli_scanswf: GETBITS: Can't read file or file truncated\n"); \
|
|
|
|
|
return CL_EFORMAT; \
|
|
|
|
|
} \
|
|
|
|
|
} \
|
|
|
|
|
bitpos -= getbits_n; \
|
|
|
|
|
bits |= bitbuf >> bitpos; \
|
|
|
|
|
bitbuf &= 0xff >> (8 - bitpos); \
|
|
|
|
|
v = bits & 0xffff; \
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
#define GETWORD(v) \
|
|
|
|
|
{ \
|
|
|
|
|
if (fmap_readn(map, &get_c, offset, sizeof(get_c)) == sizeof(get_c)) { \
|
|
|
|
|
getword_1 = (unsigned int)get_c; \
|
|
|
|
|
offset += sizeof(get_c); \
|
|
|
|
|
} else { \
|
|
|
|
|
cli_warnmsg("cli_scanswf: GETWORD: Can't read file or file truncated\n"); \
|
|
|
|
|
return CL_EFORMAT; \
|
|
|
|
|
} \
|
|
|
|
|
if (fmap_readn(map, &get_c, offset, sizeof(get_c)) == sizeof(get_c)) { \
|
|
|
|
|
getword_2 = (unsigned int)get_c; \
|
|
|
|
|
offset += sizeof(get_c); \
|
|
|
|
|
} else { \
|
|
|
|
|
cli_warnmsg("cli_scanswf: GETWORD: Can't read file or file truncated\n"); \
|
|
|
|
|
return CL_EFORMAT; \
|
|
|
|
|
} \
|
|
|
|
|
v = (uint16_t)(getword_1 & 0xff) | ((getword_2 & 0xff) << 8); \
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
#define GETDWORD(v) \
|
|
|
|
|
{ \
|
|
|
|
|
GETWORD(getdword_1); \
|
|
|
|
|
GETWORD(getdword_2); \
|
|
|
|
|
v = (uint32_t)(getdword_1 | (getdword_2 << 16)); \
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
|
|
|
|
|
struct swf_file_hdr {
|
|
|
|
|
char signature[3];
|
|
|
|
|
uint8_t version;
|
|
|
|
|
uint32_t filesize;
|
|
|
|
|
};
|
|
|
|
|
|
2015-04-28 17:28:23 -04:00
|
|
|
static int scanzws(cli_ctx *ctx, struct swf_file_hdr *hdr)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
struct CLI_LZMA lz;
|
|
|
|
|
unsigned char inbuff[FILEBUFF], outbuff[FILEBUFF];
|
|
|
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
|
/* strip off header */
|
|
|
|
|
off_t offset = 8;
|
|
|
|
|
uint32_t d_insize;
|
|
|
|
|
size_t outsize = 8;
|
2019-05-04 15:54:54 -04:00
|
|
|
int ret, lret;
|
|
|
|
|
size_t count;
|
2018-12-03 12:40:13 -05:00
|
|
|
char *tmpname;
|
|
|
|
|
int fd;
|
|
|
|
|
|
2020-03-19 21:23:54 -04:00
|
|
|
if ((ret = cli_gentempfd(ctx->sub_tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scanzws: Can't generate temporary file\n");
|
|
|
|
|
return ret;
|
2015-04-28 17:28:23 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hdr->signature[0] = 'F';
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_writen(fd, hdr, sizeof(struct swf_file_hdr)) != sizeof(struct swf_file_hdr)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scanzws: Can't write to file %s\n", tmpname);
|
2015-04-28 17:28:23 -04:00
|
|
|
close(fd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_unlink(tmpname)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EWRITE;
|
2015-04-28 17:28:23 -04:00
|
|
|
}
|
|
|
|
|
|
2015-05-01 15:23:07 -04:00
|
|
|
/* read 4 bytes (for compressed 32-bit filesize) [not used for LZMA] */
|
|
|
|
|
if (fmap_readn(map, &d_insize, offset, sizeof(d_insize)) != sizeof(d_insize)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scanzws: Error reading SWF file\n");
|
2015-05-01 15:23:07 -04:00
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EREAD;
|
|
|
|
|
}
|
|
|
|
|
offset += sizeof(d_insize);
|
|
|
|
|
|
|
|
|
|
/* check if declared input size matches actual output size */
|
|
|
|
|
/* map->len = header (8 bytes) + d_insize (4 bytes) + flags (5 bytes) + compressed stream */
|
|
|
|
|
if (d_insize != (map->len - 17)) {
|
|
|
|
|
cli_warnmsg("SWF: declared input length != compressed stream size, %u != %llu\n",
|
|
|
|
|
d_insize, (long long unsigned)(map->len - 17));
|
|
|
|
|
} else {
|
|
|
|
|
cli_dbgmsg("SWF: declared input length == compressed stream size, %u == %llu\n",
|
2018-12-03 12:40:13 -05:00
|
|
|
d_insize, (long long unsigned)(map->len - 17));
|
2015-05-01 15:23:07 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* first buffer required for initializing LZMA */
|
|
|
|
|
ret = fmap_readn(map, inbuff, offset, FILEBUFF);
|
|
|
|
|
if (ret < 0) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scanzws: Error reading SWF file\n");
|
|
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
2015-05-01 15:23:07 -04:00
|
|
|
}
|
2015-08-17 18:04:39 -04:00
|
|
|
/* nothing written, likely truncated */
|
|
|
|
|
if (!ret) {
|
|
|
|
|
cli_errmsg("scanzws: possibly truncated file\n");
|
|
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EFORMAT;
|
|
|
|
|
}
|
2015-05-01 15:23:07 -04:00
|
|
|
offset += ret;
|
|
|
|
|
|
|
|
|
|
memset(&lz, 0, sizeof(lz));
|
2018-12-03 12:40:13 -05:00
|
|
|
lz.next_in = inbuff;
|
|
|
|
|
lz.next_out = outbuff;
|
|
|
|
|
lz.avail_in = ret;
|
2015-05-01 15:23:07 -04:00
|
|
|
lz.avail_out = FILEBUFF;
|
2015-04-28 17:28:23 -04:00
|
|
|
|
2015-05-01 15:23:07 -04:00
|
|
|
lret = cli_LzmaInit(&lz, hdr->filesize);
|
2015-04-28 17:28:23 -04:00
|
|
|
if (lret != LZMA_RESULT_OK) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scanzws: LzmaInit() failed\n");
|
|
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
2015-04-28 17:28:23 -04:00
|
|
|
}
|
|
|
|
|
|
2015-05-01 15:23:07 -04:00
|
|
|
while (lret == LZMA_RESULT_OK) {
|
2015-05-01 15:47:13 -04:00
|
|
|
if (lz.avail_in == 0) {
|
|
|
|
|
lz.next_in = inbuff;
|
|
|
|
|
|
|
|
|
|
ret = fmap_readn(map, inbuff, offset, FILEBUFF);
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
cli_errmsg("scanzws: Error reading SWF file\n");
|
|
|
|
|
cli_LzmaShutdown(&lz);
|
|
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
|
|
|
|
}
|
|
|
|
|
if (!ret)
|
|
|
|
|
break;
|
|
|
|
|
lz.avail_in = ret;
|
|
|
|
|
offset += ret;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
lret = cli_LzmaDecode(&lz);
|
2015-05-01 15:47:13 -04:00
|
|
|
count = FILEBUFF - lz.avail_out;
|
|
|
|
|
if (count) {
|
|
|
|
|
if (cli_checklimits("SWF", ctx, outsize + count, 0, 0) != CL_SUCCESS)
|
|
|
|
|
break;
|
|
|
|
|
if (cli_writen(fd, outbuff, count) != count) {
|
|
|
|
|
cli_errmsg("scanzws: Can't write to file %s\n", tmpname);
|
|
|
|
|
cli_LzmaShutdown(&lz);
|
|
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EWRITE;
|
|
|
|
|
}
|
|
|
|
|
outsize += count;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
lz.next_out = outbuff;
|
2015-05-01 15:47:13 -04:00
|
|
|
lz.avail_out = FILEBUFF;
|
2015-05-01 15:23:07 -04:00
|
|
|
}
|
2015-04-28 17:28:23 -04:00
|
|
|
|
|
|
|
|
cli_LzmaShutdown(&lz);
|
|
|
|
|
|
2015-05-01 15:23:07 -04:00
|
|
|
if (lret != LZMA_STREAM_END && lret != LZMA_RESULT_OK) {
|
2015-05-01 15:47:13 -04:00
|
|
|
/* outsize starts at 8, therefore, if its still 8, nothing was decompressed */
|
|
|
|
|
if (outsize == 8) {
|
|
|
|
|
cli_infomsg(ctx, "scanzws: Error decompressing SWF file. No data decompressed.\n");
|
|
|
|
|
close(fd);
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
|
|
|
|
}
|
|
|
|
|
cli_infomsg(ctx, "scanzws: Error decompressing SWF file. Scanning what was decompressed.\n");
|
2015-04-28 17:28:23 -04:00
|
|
|
}
|
2015-08-18 12:10:19 -04:00
|
|
|
cli_dbgmsg("SWF: Decompressed[LZMA] to %s, size %llu\n", tmpname, (long long unsigned)outsize);
|
2015-04-28 17:28:23 -04:00
|
|
|
|
2015-05-01 15:23:07 -04:00
|
|
|
/* check if declared output size matches actual output size */
|
|
|
|
|
if (hdr->filesize != outsize) {
|
|
|
|
|
cli_warnmsg("SWF: declared output length != inflated stream size, %u != %llu\n",
|
|
|
|
|
hdr->filesize, (long long unsigned)outsize);
|
|
|
|
|
} else {
|
|
|
|
|
cli_dbgmsg("SWF: declared output length == inflated stream size, %u == %llu\n",
|
|
|
|
|
hdr->filesize, (long long unsigned)outsize);
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-21 14:15:28 -04:00
|
|
|
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL);
|
2015-04-28 17:28:23 -04:00
|
|
|
|
|
|
|
|
close(fd);
|
|
|
|
|
if (!(ctx->engine->keeptmp)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
if (cli_unlink(tmpname)) {
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
2015-04-28 17:28:23 -04:00
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-28 20:25:40 +02:00
|
|
|
static int scancws(cli_ctx *ctx, struct swf_file_hdr *hdr)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
z_stream stream;
|
|
|
|
|
char inbuff[FILEBUFF], outbuff[FILEBUFF];
|
2019-05-04 15:54:54 -04:00
|
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
|
int offset = 8, ret, zret, zend;
|
|
|
|
|
size_t outsize = 8;
|
|
|
|
|
size_t count;
|
2018-12-03 12:40:13 -05:00
|
|
|
char *tmpname;
|
|
|
|
|
int fd;
|
|
|
|
|
|
2020-03-19 21:23:54 -04:00
|
|
|
if ((ret = cli_gentempfd(ctx->sub_tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scancws: Can't generate temporary file\n");
|
|
|
|
|
return ret;
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hdr->signature[0] = 'F';
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_writen(fd, hdr, sizeof(struct swf_file_hdr)) != sizeof(struct swf_file_hdr)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scancws: Can't write to file %s\n", tmpname);
|
2011-04-15 12:39:45 +02:00
|
|
|
close(fd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_unlink(tmpname)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EWRITE;
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
stream.avail_in = 0;
|
|
|
|
|
stream.next_in = (Bytef *)inbuff;
|
|
|
|
|
stream.next_out = (Bytef *)outbuff;
|
|
|
|
|
stream.zalloc = (alloc_func)NULL;
|
|
|
|
|
stream.zfree = (free_func)NULL;
|
|
|
|
|
stream.opaque = (voidpf)0;
|
2011-03-28 20:25:40 +02:00
|
|
|
stream.avail_out = FILEBUFF;
|
|
|
|
|
|
|
|
|
|
zret = inflateInit(&stream);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (zret != Z_OK) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scancws: inflateInit() failed\n");
|
2011-03-28 20:25:40 +02:00
|
|
|
close(fd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_unlink(tmpname)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (stream.avail_in == 0) {
|
2015-05-01 15:47:13 -04:00
|
|
|
stream.next_in = (Bytef *)inbuff;
|
2018-12-03 12:40:13 -05:00
|
|
|
ret = fmap_readn(map, inbuff, offset, FILEBUFF);
|
|
|
|
|
if (ret < 0) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scancws: Error reading SWF file\n");
|
|
|
|
|
close(fd);
|
|
|
|
|
inflateEnd(&stream);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_unlink(tmpname)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!ret)
|
2015-05-01 15:47:13 -04:00
|
|
|
break;
|
|
|
|
|
stream.avail_in = ret;
|
|
|
|
|
offset += ret;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
zret = inflate(&stream, Z_SYNC_FLUSH);
|
2015-05-01 15:47:13 -04:00
|
|
|
count = FILEBUFF - stream.avail_out;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (count) {
|
|
|
|
|
if (cli_checklimits("SWF", ctx, outsize + count, 0, 0) != CL_SUCCESS)
|
2015-05-01 15:47:13 -04:00
|
|
|
break;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_writen(fd, outbuff, count) != count) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_errmsg("scancws: Can't write to file %s\n", tmpname);
|
|
|
|
|
inflateEnd(&stream);
|
|
|
|
|
close(fd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_unlink(tmpname)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EWRITE;
|
|
|
|
|
}
|
|
|
|
|
outsize += count;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
stream.next_out = (Bytef *)outbuff;
|
2015-05-01 15:47:13 -04:00
|
|
|
stream.avail_out = FILEBUFF;
|
2018-12-03 12:40:13 -05:00
|
|
|
} while (zret == Z_OK);
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2014-11-04 18:38:34 -05:00
|
|
|
zend = inflateEnd(&stream);
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((zret != Z_STREAM_END && zret != Z_OK) || zend != Z_OK) {
|
2014-08-19 13:16:42 -04:00
|
|
|
/*
|
|
|
|
|
* outsize is initialized to 8, it being 8 here means that we couldn't even read a single byte.
|
|
|
|
|
* If outsize > 8, then we have data. Let's scan what we have.
|
|
|
|
|
*/
|
|
|
|
|
if (outsize == 8) {
|
|
|
|
|
cli_infomsg(ctx, "scancws: Error decompressing SWF file. No data decompressed.\n");
|
|
|
|
|
close(fd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (cli_unlink(tmpname)) {
|
2014-08-19 13:16:42 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNPACK;
|
|
|
|
|
}
|
|
|
|
|
cli_infomsg(ctx, "scancws: Error decompressing SWF file. Scanning what was decompressed.\n");
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
2019-05-04 15:54:54 -04:00
|
|
|
cli_dbgmsg("SWF: Decompressed[zlib] to %s, size %zu\n", tmpname, outsize);
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2015-05-01 15:23:07 -04:00
|
|
|
/* check if declared output size matches actual output size */
|
|
|
|
|
if (hdr->filesize != outsize) {
|
2019-05-04 15:54:54 -04:00
|
|
|
cli_warnmsg("SWF: declared output length != inflated stream size, %u != %zu\n",
|
|
|
|
|
hdr->filesize, outsize);
|
2015-05-01 15:23:07 -04:00
|
|
|
} else {
|
2019-05-04 15:54:54 -04:00
|
|
|
cli_dbgmsg("SWF: declared output length == inflated stream size, %u == %zu\n",
|
|
|
|
|
hdr->filesize, outsize);
|
2015-05-01 15:23:07 -04:00
|
|
|
}
|
|
|
|
|
|
2020-03-21 14:15:28 -04:00
|
|
|
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL);
|
2011-03-28 20:25:40 +02:00
|
|
|
|
|
|
|
|
close(fd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!ctx->engine->keeptmp) {
|
|
|
|
|
if (cli_unlink(tmpname)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
free(tmpname);
|
|
|
|
|
return CL_EUNLINK;
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
free(tmpname);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const char *tagname(tag_id id)
|
|
|
|
|
{
|
2018-12-03 12:40:13 -05:00
|
|
|
unsigned int i;
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 0; tag_names[i].name; i++)
|
|
|
|
|
if (tag_names[i].id == id)
|
2015-05-01 15:47:13 -04:00
|
|
|
return tag_names[i].name;
|
2011-03-28 20:25:40 +02:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cli_scanswf(cli_ctx *ctx)
|
|
|
|
|
{
|
2013-01-15 15:42:31 -05:00
|
|
|
struct swf_file_hdr file_hdr;
|
|
|
|
|
fmap_t *map = *ctx->fmap;
|
|
|
|
|
unsigned int bitpos, bitbuf, getbits_n, nbits, getword_1, getword_2, getdword_1, getdword_2;
|
|
|
|
|
const char *pt;
|
2014-05-23 11:45:49 -04:00
|
|
|
unsigned char get_c;
|
2013-02-04 16:32:50 -05:00
|
|
|
size_t offset = 0;
|
|
|
|
|
unsigned int val, foo, tag_hdr, tag_type, tag_len;
|
2013-01-15 15:42:31 -05:00
|
|
|
unsigned long int bits;
|
2011-03-28 20:25:40 +02:00
|
|
|
|
|
|
|
|
cli_dbgmsg("in cli_scanswf()\n");
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (fmap_readn(map, &file_hdr, offset, sizeof(file_hdr)) != sizeof(file_hdr)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg("SWF: Can't read file header\n");
|
|
|
|
|
return CL_CLEAN;
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
offset += sizeof(file_hdr);
|
2015-12-11 17:41:38 -05:00
|
|
|
/*
|
|
|
|
|
** SWF stores the integer bytes with the least significate byte first
|
|
|
|
|
*/
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
file_hdr.filesize = le32_to_host(file_hdr.filesize);
|
2015-12-11 17:41:38 -05:00
|
|
|
|
|
|
|
|
cli_dbgmsg("SWF: Version: %u\n", file_hdr.version);
|
|
|
|
|
cli_dbgmsg("SWF: File size: %u\n", file_hdr.filesize);
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!strncmp(file_hdr.signature, "CWS", 3)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg("SWF: zlib compressed file\n");
|
|
|
|
|
return scancws(ctx, &file_hdr);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (!strncmp(file_hdr.signature, "ZWS", 3)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg("SWF: LZMA compressed file\n");
|
|
|
|
|
return scanzws(ctx, &file_hdr);
|
2018-12-03 12:40:13 -05:00
|
|
|
} else if (!strncmp(file_hdr.signature, "FWS", 3)) {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg("SWF: Uncompressed file\n");
|
2011-03-28 20:25:40 +02:00
|
|
|
} else {
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg("SWF: Not a SWF file\n");
|
|
|
|
|
return CL_CLEAN;
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
INITBITS;
|
|
|
|
|
|
|
|
|
|
GETBITS(nbits, 5);
|
2014-05-23 11:45:49 -04:00
|
|
|
cli_dbgmsg("SWF: FrameSize RECT size bits: %u\n", nbits);
|
|
|
|
|
{
|
|
|
|
|
uint32_t xMin = 0, xMax = 0, yMin = 0, yMax = 0;
|
|
|
|
|
GETBITS(xMin, nbits); /* Should be zero */
|
|
|
|
|
GETBITS(xMax, nbits);
|
|
|
|
|
GETBITS(yMin, nbits); /* Should be zero */
|
|
|
|
|
GETBITS(yMax, nbits);
|
|
|
|
|
cli_dbgmsg("SWF: FrameSize xMin %u xMax %u yMin %u yMax %u\n", xMin, xMax, yMin, yMax);
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
|
|
|
|
|
GETWORD(foo);
|
2011-03-30 16:02:41 +02:00
|
|
|
GETWORD(val);
|
|
|
|
|
cli_dbgmsg("SWF: Frames total: %d\n", val);
|
2011-03-28 20:25:40 +02:00
|
|
|
|
2014-05-23 11:54:02 -04:00
|
|
|
/* Skip Flash tag walk unless debug mode */
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!cli_debug_flag) {
|
2014-05-23 11:54:02 -04:00
|
|
|
return CL_CLEAN;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while (offset < map->len) {
|
2015-05-01 15:47:13 -04:00
|
|
|
GETWORD(tag_hdr);
|
|
|
|
|
tag_type = tag_hdr >> 6;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (tag_type == 0)
|
2015-05-01 15:47:13 -04:00
|
|
|
break;
|
|
|
|
|
tag_len = tag_hdr & 0x3f;
|
2018-12-03 12:40:13 -05:00
|
|
|
if (tag_len == 0x3f)
|
2015-05-01 15:47:13 -04:00
|
|
|
GETDWORD(tag_len);
|
|
|
|
|
|
|
|
|
|
pt = tagname(tag_type);
|
|
|
|
|
cli_dbgmsg("SWF: %s\n", pt ? pt : "UNKNOWN TAG");
|
|
|
|
|
cli_dbgmsg("SWF: Tag length: %u\n", tag_len);
|
|
|
|
|
if (tag_len > map->len) {
|
|
|
|
|
cli_dbgmsg("SWF: Invalid tag length.\n");
|
|
|
|
|
return CL_EFORMAT;
|
|
|
|
|
}
|
|
|
|
|
if ((offset + tag_len) < offset) {
|
|
|
|
|
cli_warnmsg("SWF: Tag length too large.\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!pt) {
|
2015-05-01 15:47:13 -04:00
|
|
|
offset += tag_len;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
switch (tag_type) {
|
2015-05-01 15:47:13 -04:00
|
|
|
case TAG_SCRIPTLIMITS: {
|
|
|
|
|
unsigned int recursion, timeout;
|
|
|
|
|
GETWORD(recursion);
|
|
|
|
|
GETWORD(timeout);
|
|
|
|
|
cli_dbgmsg("SWF: scriptLimits recursion %u timeout %u\n", recursion, timeout);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case TAG_FILEATTRIBUTES:
|
|
|
|
|
GETDWORD(val);
|
|
|
|
|
cli_dbgmsg("SWF: File attributes:\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_USENETWORK)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * Use network\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_RELATIVEURLS)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * Relative URLs\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_SUPPRESSCROSSDOMAINCACHE)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * Suppress cross domain cache\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_ACTIONSCRIPT3)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * ActionScript 3.0\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_HASMETADATA)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * Has metadata\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_USEDIRECTBLIT)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * Use hardware acceleration\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (val & SWF_ATTR_USEGPU)
|
2015-05-01 15:47:13 -04:00
|
|
|
cli_dbgmsg(" * Use GPU\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
offset += tag_len;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2011-03-28 20:25:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CL_CLEAN;
|
|
|
|
|
}
|
