diff --git a/clamav-devel/ChangeLog b/clamav-devel/ChangeLog index b1ec04b0d..686aabf80 100644 --- a/clamav-devel/ChangeLog +++ b/clamav-devel/ChangeLog @@ -1,3 +1,7 @@ +Tue Jul 6 04:22:02 CEST 2004 (tk) +---------------------------------- + * libclamav: pe: optimise UPX recognition. Respect archive limits. + Tue Jul 6 01:46:41 CEST 2004 (tk) ---------------------------------- * libclamav: pe, upx: add big-endian support diff --git a/clamav-devel/libclamav/matcher.c b/clamav-devel/libclamav/matcher.c index 19e259598..1653f6e6d 100644 --- a/clamav-devel/libclamav/matcher.c +++ b/clamav-devel/libclamav/matcher.c @@ -258,7 +258,8 @@ int cli_scanbuff(const char *buffer, unsigned int length, const char **virname, if(pt->type) { if(typerec) { cli_dbgmsg("Matched signature for file type: %s\n", pt->virname); - type = pt->type; + if(pt->type > type) + type = pt->type; } } else { if(virname) diff --git a/clamav-devel/libclamav/pe.c b/clamav-devel/libclamav/pe.c index ba01d8d47..a47199b32 100644 --- a/clamav-devel/libclamav/pe.c +++ b/clamav-devel/libclamav/pe.c @@ -427,29 +427,6 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c /* UPX support */ - /* try to detect UPX code */ - - if(lseek(desc, ep + 0x78, SEEK_SET) == -1) { - cli_dbgmsg("lseek() failed\n"); - free(section_hdr); - return CL_EIO; - } - - if(read(desc, buff, 13) != 13) { - cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78); - } else { - if(cli_memstr(UPX_NRV2B, 24, buff, 13)) { - cli_dbgmsg("UPX: Looks like a NRV2B decompressor\n"); - upxfn = upx_inflate2b; - } else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) { - cli_dbgmsg("UPX: Looks like a NRV2D decompressor\n"); - upxfn = upx_inflate2d; - } else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) { - cli_dbgmsg("UPX: Looks like a NRV2E decompressor\n"); - upxfn = upx_inflate2e; - } - } - /* try to find the first section with physical size == 0 */ found = 0; for(i = 0; i < nsections - 1; i++) { @@ -478,6 +455,11 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c ssize = EC32(section_hdr[i + 1].SizeOfRawData); dsize = EC32(section_hdr[i].VirtualSize) + EC32(section_hdr[i + 1].VirtualSize); + if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) { + cli_dbgmsg("UPX: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , limits->maxfilesize); + return CL_CLEAN; + } + /* FIXME: use file operations in case of big files */ if((src = (char *) cli_malloc(ssize)) == NULL) { free(section_hdr); @@ -499,6 +481,30 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c return CL_EIO; } + /* try to detect UPX code */ + + if(lseek(desc, ep + 0x78, SEEK_SET) == -1) { + cli_dbgmsg("lseek() failed\n"); + free(section_hdr); + return CL_EIO; + } + + if(read(desc, buff, 13) != 13) { + cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78); + return CL_EIO; + } else { + if(cli_memstr(UPX_NRV2B, 24, buff, 13)) { + cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n"); + upxfn = upx_inflate2b; + } else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) { + cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n"); + upxfn = upx_inflate2d; + } else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) { + cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n"); + upxfn = upx_inflate2e; + } + } + if(upxfn) { if(upxfn(src, ssize, dest, dsize)) { cli_dbgmsg("UPX: Prefered decompressor failed\n"); diff --git a/clamav-devel/libclamav/scanners.c b/clamav-devel/libclamav/scanners.c index 0b4a5a2ef..544bd944c 100644 --- a/clamav-devel/libclamav/scanners.c +++ b/clamav-devel/libclamav/scanners.c @@ -75,7 +75,7 @@ extern short cli_leavetemps_flag; #define DISABLE_RAR (options & CL_DISABLERAR) #define DETECT_ENCRYPTED (options & CL_ENCRYPTED) -#define MAX_MAIL_RECURSION 10 +#define MAX_MAIL_RECURSION 15 static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec); @@ -967,7 +967,7 @@ static int cli_scanmail(int desc, const char **virname, long int *scanned, const int ret; - cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", mrec, arec); + cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", *mrec, *arec); if((tmpdir = getenv("TMPDIR")) == NULL) #ifdef P_tmpdir