Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

More Coverity bug fixes

Browse source 
Looking through the list of issues, I spotted some easy ones and submitted
some fixes:

- 225229 - In cli_rarload: Leak of memory or pointers to system resources.
If finding the necessary libunrar functions fails (should be rare),we now
dlclose libunrar.

225224 - In main (freshclam.c): A copied piece of code is inconsistent with
the original (CWE-398). A minor copy-paste error was present, and optOutList
could be cleaned up in one of the failure edge cases.

225228 - In decodecdb: Out-of-bounds access to a buffer (CWE-119). Off by one
error when tokenizing certain CDB sig fields for printing with sigtool. Ex:

$ cat test.cdb
a:CL_TYPE_7Z:1-2-3:/.*/:1-2-3:1-2-3:0:1-2-3::

$ cat test.cdb | ../installed/bin/sigtool --decode
VIRUS NAME: a
CONTAINER TYPE: CL_TYPE_7Z
CONTAINER SIZE: WITHIN RANGE 1 to 2
FILENAME REGEX: /.*/
COMPRESSED FILESIZE: WITHIN RANGE 1 to 2
UNCOMPRESSED FILESIZE: WITHIN RANGE 1 to 2
ENCRYPTION: NO
FILE POSITION: =================================================================
==17245==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffe3136d10 at pc 0x7f0f31c3f414 bp 0x7fffe3136c70 sp 0x7fffe3136c60
WRITE of size 8 at 0x7fffe3136d10 thread T0
    #0 0x7f0f31c3f413 in cli_strtokenize ../../libclamav/str.c:524
    #1 0x559e9797dc91 in decodecdb ../../sigtool/sigtool.c:2929
    #2 0x559e9797ea66 in decodesig ../../sigtool/sigtool.c:3058
    #3 0x559e9797f31e in decodesigs ../../sigtool/sigtool.c:3162
    #4 0x559e97981fbc in main ../../sigtool/sigtool.c:3638
    #5 0x7f0f3100fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x559e9795a1d9 in _start (/home/zelda/workspace/clamav-devel/installed/bin/sigtool+0x381d9)

Address 0x7fffe3136d10 is located in stack of thread T0 at offset 48 in frame
    #0 0x559e9797d113 in decodecdb ../../sigtool/sigtool.c:2840

  This frame has 1 object(s):
    [32, 48) 'range' <== Memory access at offset 48 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../libclamav/str.c:524 in cli_strtokenize

- 225223 - In cli_egg_deflate_decompress: Reads an uninitialized pointer or
its target (CWE-457). Certain fail cases would call inflateEnd on an
uninitialized stream. Now it’s only called after initialization occurs.

- 225220 - In buildcld: Use of an uninitialized variable (CWE-457). Certain
fail cases would result in oldDir being used before initialization. It now
gets zeroed before the first fail case.

- 225219 - In cli_egg_open: Leak of memory or pointers to system resources
(CWE-404).  If certain realloc’s failed, several structures would not be cleaned up

- 225218 - In cli_scanhwpml: Code block is unreachable because of the syntactic
structure of the code (CWE-561).  With certain macros set, there could be two
consecutive return statements.
This commit is contained in:
Andrew 2020-05-07 14:12:17 -04:00
parent 035265b96f
commit 1d66184a7d
6 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
freshclam/freshclam.c
View file

@ -1748,8 +1748,10 @@ int main(int argc, char **argv)
}
if (!optget(opts, "Bytecode")->enabled) {
if (FC_SUCCESS != (ret = string_list_add("bytecode", &optOutList, &nOptOuts))) {
free_string_list(optOutList, nOptOuts);
free_string_list(optInList, nOptIns);
optInList = NULL;
free_string_list(optOutList, nOptOuts);
optOutList = NULL;
mprintf("!Failed to add bytecode to list of opt-out databases.\n");
status = ret;

9
libclamav/egg.c
View file

@ -1232,6 +1232,7 @@ static cl_error_t egg_parse_file_extra_field(egg_handle* handle, egg_file* eggFi
(void*)eggFile->comments,
sizeof(char**) * (eggFile->nComments + 1));
if (NULL == comments_tmp) {
free(comment);
status = CL_EMEM;
goto done;
}
@ -1681,6 +1682,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
(void*)handle->files,
sizeof(egg_file*) * (handle->nFiles + 1));
if (NULL == files_tmp) {
egg_free_egg_file(found_file);
status = CL_EMEM;
goto done;
}
@ -1709,6 +1711,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
(void*)handle->blocks,
sizeof(egg_block*) * (handle->nBlocks + 1));
if (NULL == blocks_tmp) {
egg_free_egg_block(found_block);
status = CL_EMEM;
goto done;
}
@ -1733,6 +1736,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
(void*)eggFile->blocks,
sizeof(egg_block*) * (eggFile->nBlocks + 1));
if (NULL == blocks_tmp) {
egg_free_egg_block(found_block);
status = CL_EMEM;
goto done;
}
@ -1806,6 +1810,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
(void*)handle->comments,
sizeof(char**) * (handle->nComments + 1));
if (NULL == comments_tmp) {
free(comment);
status = CL_EMEM;
goto done;
}
@ -1942,6 +1947,7 @@ cl_error_t cli_egg_deflate_decompress(char* compressed, size_t compressed_size,
uint32_t declen = 0, capacity = 0;
z_stream stream;
int stream_initialized = 0;
int zstat;
if (NULL == compressed || compressed_size == 0 || NULL == decompressed || NULL == decompressed_size) {
@ -1973,6 +1979,7 @@ cl_error_t cli_egg_deflate_decompress(char* compressed, size_t compressed_size,
status = CL_EMEM;
goto done;
}
stream_initialized = 1;
/* initial inflate */
zstat = inflate(&stream, Z_NO_FLUSH);
@ -2045,7 +2052,9 @@ cl_error_t cli_egg_deflate_decompress(char* compressed, size_t compressed_size,
done:
if (stream_initialized) {
(void)inflateEnd(&stream);
}
if (CL_SUCCESS != status) {
free(decoded);

1
libclamav/hwp.c
View file

@ -2143,7 +2143,6 @@ cl_error_t cli_scanhwpml(cli_ctx *ctx)
xmlTextReaderClose(reader);
xmlFreeTextReader(reader);
return ret;
#else
UNUSEDPARAM(ctx);
cli_dbgmsg("in cli_scanhwpml()\n");

1
libclamav/others.c
View file

@ -186,6 +186,7 @@ static void cli_rarload(void)
!(cli_unrar_close = (void (*)(void *))lt_dlsym(rhandle, "libclamunrar_iface_LTX_unrar_close"))) {
/* ideally we should never land here, we'd better warn so */
cli_warnmsg("Cannot resolve: %s (version mismatch?) - unrar support unavailable\n", lt_dlerror());
lt_dlclose(rhandle);
return;
}
have_rar = 1;

2
libfreshclam/libfreshclam_internal.c
View file

@ -1378,7 +1378,7 @@ static fc_error_t buildcld(
{
fc_error_t status = FC_EARG;
char olddir[PATH_MAX];
char olddir[PATH_MAX] = {0};
char info[DB_FILENAME_MAX];
char buff[CVD_HEADER_SIZE + 1];
char *pt;

8
sigtool/sigtool.c
View file

@ -2852,7 +2852,7 @@ static int decodecdb(char **tokens)
mprintf("ANY\n");
} else if (strchr(tokens[2], '-')) {
sz = cli_strtokenize(tokens[2], '-', 2 + 1, (const char **)range);
sz = cli_strtokenize(tokens[2], '-', 2, (const char **)range);
if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
mprintf("!decodesig: Invalid container size range\n");
return -1;
@ -2873,7 +2873,7 @@ static int decodecdb(char **tokens)
mprintf("ANY\n");
} else if (strchr(tokens[4], '-')) {
sz = cli_strtokenize(tokens[4], '-', 2 + 1, (const char **)range);
sz = cli_strtokenize(tokens[4], '-', 2, (const char **)range);
if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
mprintf("!decodesig: Invalid container size range\n");
return -1;
@ -2893,7 +2893,7 @@ static int decodecdb(char **tokens)
mprintf("ANY\n");
} else if (strchr(tokens[5], '-')) {
sz = cli_strtokenize(tokens[5], '-', 2 + 1, (const char **)range);
sz = cli_strtokenize(tokens[5], '-', 2, (const char **)range);
if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
mprintf("!decodesig: Invalid container size range\n");
return -1;
@ -2926,7 +2926,7 @@ static int decodecdb(char **tokens)
mprintf("ANY\n");
} else if (strchr(tokens[7], '-')) {
sz = cli_strtokenize(tokens[7], '-', 2 + 1, (const char **)range);
sz = cli_strtokenize(tokens[7], '-', 2, (const char **)range);
if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
mprintf("!decodesig: Invalid container size range\n");
return -1;