Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 10:23:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Optimise UPX recognition. Respect archive limits.

Browse source 
git-svn: trunk@652
This commit is contained in:
Tomasz Kojm 2004-07-06 02:27:22 +00:00
parent a9082ea2fd
commit 03a2d04ae0
4 changed files with 37 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

4
clamav-devel/ChangeLog
View file

@ -1,3 +1,7 @@
Tue Jul 6 04:22:02 CEST 2004 (tk)
----------------------------------
* libclamav: pe: optimise UPX recognition. Respect archive limits.
Tue Jul 6 01:46:41 CEST 2004 (tk)
----------------------------------
* libclamav: pe, upx: add big-endian support

3
clamav-devel/libclamav/matcher.c
View file

@ -258,7 +258,8 @@ int cli_scanbuff(const char *buffer, unsigned int length, const char **virname,
if(pt->type) {
if(typerec) {
cli_dbgmsg("Matched signature for file type: %s\n", pt->virname);
type = pt->type;
if(pt->type > type)
type = pt->type;
}
} else {
if(virname)

52
clamav-devel/libclamav/pe.c
View file

@ -427,29 +427,6 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c
/* UPX support */
/* try to detect UPX code */
if(lseek(desc, ep + 0x78, SEEK_SET) == -1) {
cli_dbgmsg("lseek() failed\n");
free(section_hdr);
return CL_EIO;
}
if(read(desc, buff, 13) != 13) {
cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78);
} else {
if(cli_memstr(UPX_NRV2B, 24, buff, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2B decompressor\n");
upxfn = upx_inflate2b;
} else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2D decompressor\n");
upxfn = upx_inflate2d;
} else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2E decompressor\n");
upxfn = upx_inflate2e;
}
}
/* try to find the first section with physical size == 0 */
found = 0;
for(i = 0; i < nsections - 1; i++) {
@ -478,6 +455,11 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c
ssize = EC32(section_hdr[i + 1].SizeOfRawData);
dsize = EC32(section_hdr[i].VirtualSize) + EC32(section_hdr[i + 1].VirtualSize);
if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) {
cli_dbgmsg("UPX: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , limits->maxfilesize);
return CL_CLEAN;
}
/* FIXME: use file operations in case of big files */
if((src = (char *) cli_malloc(ssize)) == NULL) {
free(section_hdr);
@ -499,6 +481,30 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c
return CL_EIO;
}
/* try to detect UPX code */
if(lseek(desc, ep + 0x78, SEEK_SET) == -1) {
cli_dbgmsg("lseek() failed\n");
free(section_hdr);
return CL_EIO;
}
if(read(desc, buff, 13) != 13) {
cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78);
return CL_EIO;
} else {
if(cli_memstr(UPX_NRV2B, 24, buff, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");
upxfn = upx_inflate2b;
} else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");
upxfn = upx_inflate2d;
} else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");
upxfn = upx_inflate2e;
}
}
if(upxfn) {
if(upxfn(src, ssize, dest, dsize)) {
cli_dbgmsg("UPX: Prefered decompressor failed\n");

4
clamav-devel/libclamav/scanners.c
View file

@ -75,7 +75,7 @@ extern short cli_leavetemps_flag;
#define DISABLE_RAR (options & CL_DISABLERAR)
#define DETECT_ENCRYPTED (options & CL_ENCRYPTED)
#define MAX_MAIL_RECURSION 10
#define MAX_MAIL_RECURSION 15
static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec);
@ -967,7 +967,7 @@ static int cli_scanmail(int desc, const char **virname, long int *scanned, const
int ret;
cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", mrec, arec);
cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", *mrec, *arec);
if((tmpdir = getenv("TMPDIR")) == NULL)
#ifdef P_tmpdir