add 'Intermediates' field to target description block

(allows specification of any number of intermediate containers)
2025-10-19 10:23:17 +00:00 · 2017-01-23 13:11:03 -05:00 · 2017-01-23 13:11:03 -05:00 · 87b2a1a9e3
commit 87b2a1a9e3
parent 5828828b53
3 changed files with 56 additions and 7 deletions
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@ -703,6 +703,23 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
    return ret;
 }

+static int intermediates_eval(cli_ctx *ctx, struct cli_ac_lsig *ac_lsig)
+{
+    uint32_t i, icnt = ac_lsig->tdb.intermediates[0];
+    int32_t j = -1;
+
+    if (ctx->recursion < icnt)
+        return 0;
+
+    for (i = icnt; i > 0; i--) {
+        if (ac_lsig->tdb.intermediates[i] == CL_TYPE_ANY)
+            continue;
+        if (ac_lsig->tdb.intermediates[i] != cli_get_container_type(ctx, j--))
+            return 0;
+    }
+    return 1;
+}
+
 static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid)
 {
    unsigned evalcnt = 0;
@ -719,6 +736,8 @@ static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data
    if (cli_ac_chklsig(exp, exp_end, acdata->lsigcnt[lsid], &evalcnt, &evalids, 0) == 1) {
        if(ac_lsig->tdb.container && ac_lsig->tdb.container[0] != cli_get_container_type(ctx, -1))
            return CL_CLEAN;
+        if(ac_lsig->tdb.intermediates && !intermediates_eval(ctx, ac_lsig))
+            return CL_CLEAN;
        if(ac_lsig->tdb.filesize && (ac_lsig->tdb.filesize[0] > map->len || ac_lsig->tdb.filesize[1] < map->len))
            return CL_CLEAN;

--- a/libclamav/matcher.h
+++ b/libclamav/matcher.h
@ -54,11 +54,12 @@ struct cli_target_info {
 #define CLI_MATCH_NIBBLE_LOW	0x0400

 struct cli_lsig_tdb {
-#define CLI_TDB_UINT	0
-#define CLI_TDB_RANGE	1
-#define CLI_TDB_STR	2
-#define CLI_TDB_RANGE2	3
-#define CLI_TDB_FTYPE	4
+#define CLI_TDB_UINT		0
+#define CLI_TDB_RANGE		1
+#define CLI_TDB_STR		2
+#define CLI_TDB_RANGE2		3
+#define CLI_TDB_FTYPE		4
+#define CLI_TDB_FTYPE_EXPR	5
    uint32_t *val, *range;
    char *str;
    uint32_t cnt[3];
@ -67,6 +68,7 @@ struct cli_lsig_tdb {
    const uint32_t *target;
    const uint32_t *engine, *nos, *ep, *filesize;
    const uint32_t *container, *handlertype;
+    const uint32_t *intermediates;
    /*
    const uint32_t *sectoff, *sectrva, *sectvsz, *sectraw, *sectrsz,
 		   *secturva, *sectuvsz, *secturaw, *sectursz;
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@ -1353,7 +1353,8 @@ struct lsig_attrib {
 static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
 {
    struct lsig_attrib attrtab[] = {
-#define ATTRIB_TOKENS   9
+#define ATTRIB_TOKENS   10
+#define EXPR_TOKEN_MAX  16
        { "Target",         CLI_TDB_UINT,   (void **) &tdb->target      },
        { "Engine",         CLI_TDB_RANGE,  (void **) &tdb->engine      },

@ -1366,6 +1367,7 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)

        { "Container",      CLI_TDB_FTYPE,  (void **) &tdb->container   },
        { "HandlerType",        CLI_TDB_FTYPE,  (void **) &tdb->handlertype },
+        { "Intermediates",  CLI_TDB_FTYPE_EXPR, (void **) &tdb->intermediates },
 /*
        { "SectOff",    CLI_TDB_RANGE2, (void **) &tdb->sectoff     },
        { "SectRVA",    CLI_TDB_RANGE2, (void **) &tdb->sectrva     },
@ -1435,7 +1437,7 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)

        case CLI_TDB_FTYPE:
            if((v1 = cli_ftcode(pt)) == CL_TYPE_ERROR) {
-                cli_dbgmsg("lsigattribs: Unknown file type in %s\n", tokens[i]);
+                cli_dbgmsg("lsigattribs: Unknown file type '%s' in %s\n", pt, tokens[i]);
                return 1; /* skip */
            }

@ -1449,6 +1451,31 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
            tdb->val[cnt] = v1;
            break;

+        case CLI_TDB_FTYPE_EXPR:
+            {
+                char *ftypes[EXPR_TOKEN_MAX];
+                unsigned int ftypes_count;
+
+		off[i] = cnt = tdb->cnt[CLI_TDB_UINT];
+                ftypes_count = cli_strtokenize(pt, '>', EXPR_TOKEN_MAX, (const char **) ftypes);
+		tdb->cnt[CLI_TDB_UINT] += (ftypes_count + 1);
+		tdb->val = (uint32_t *) mpool_realloc2(tdb->mempool, tdb->val, tdb->cnt[CLI_TDB_UINT] * sizeof(uint32_t));
+		if(!tdb->val) {
+		    tdb->cnt[CLI_TDB_UINT] = 0;
+		    return -1;
+		}
+
+		tdb->val[cnt++] = ftypes_count;
+                for(j = 0; j < ftypes_count; j++) {
+                    if((v1 = cli_ftcode(ftypes[j])) == CL_TYPE_ERROR) {
+                        cli_dbgmsg("lsigattribs: Unknown file type '%s' in %s\n", ftypes[j], tokens[i]);
+                        return 1; /* skip */
+                    }
+		    tdb->val[cnt++] = v1;
+                }
+            }
+            break;
+
        case CLI_TDB_RANGE:
            if(!(pt2 = strchr(pt, '-'))) {
                cli_errmsg("lsigattribs: Incorrect parameters in '%s'\n", tokens[i]);
@ -1535,6 +1562,7 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
        switch(apt->type) {
        case CLI_TDB_UINT:
        case CLI_TDB_FTYPE:
+        case CLI_TDB_FTYPE_EXPR:
            *apt->pt = (uint32_t *) &tdb->val[off[i]];
            break;