improve file type recognizer and add CL_TYPE_RARSFX

git-svn: trunk@1634

clamav-devel/ChangeLog

@@ -1,3 +1,7 @@
+Fri Jun 24 15:48:26 CEST 2005 (tk)
+----------------------------------
+  * libclamav: improve file type recognizer and add CL_TYPE_RARSFX
+
 Thu Jun 23 22:52:43 CEST 2005 (tk)
 ----------------------------------
   * libclamav/mspack/qtmd.c: fix possible crash

clamav-devel/libclamav/filetypes.c

@@ -169,6 +169,8 @@ static const struct cli_smagic_s cli_smagic[] = {
     {"3c696672616d65", "HTML data", CL_TYPE_HTML},      /* <iframe */
     {"3c494652414d45", "HTML data", CL_TYPE_HTML},      /* <IFRAME */
 
+    {"526172211a0700", "RAR-SFX", CL_TYPE_RARSFX},
+
     {NULL,  NULL,   CL_TYPE_UNKNOWN_DATA}
 };
 

clamav-devel/libclamav/filetypes.h

@@ -46,6 +46,7 @@ typedef enum {
     CL_TYPE_PDF,
 
     /* bigger numbers have higher priority (in o-t-f detection) */
+    CL_TYPE_RARSFX,
     CL_TYPE_HTML, /* on the fly */
     CL_TYPE_MAIL  /* magic + on the fly */
 

clamav-devel/libclamav/matcher-ac.c

@@ -263,7 +263,7 @@ inline static int cli_findpos(const char *buffer, int offset, int length, const
     return 1;
 }
 
-int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_node *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd)
+int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_node *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd, unsigned long int *ftoffset)
 {
 	struct cli_ac_node *current;
 	struct cli_ac_patt *pt;
@@ -322,6 +322,8 @@ int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virnam
 					    if(pt->type > type) {
 						cli_dbgmsg("Matched signature for file type: %s\n", pt->virname);
 						type = pt->type;
+						if(ftoffset)
+						    *ftoffset = offset + position;
 					    }
 					}
 				    } else {
@@ -341,6 +343,8 @@ int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virnam
 				    cli_dbgmsg("Matched signature for file type: %s\n", pt->virname);
 
 				    type = pt->type;
+				    if(ftoffset)
+					*ftoffset = offset + position;
 				}
 			    }
 			} else {

clamav-devel/libclamav/matcher-ac.h

@@ -23,7 +23,7 @@
 #include "matcher.h"
 
 int cli_ac_addpatt(struct cl_node *root, struct cli_ac_patt *pattern);
-int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_node *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd);
+int cli_ac_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_node *root, int *partcnt, short otfrec, unsigned long int offset, unsigned long int *partoff, unsigned short ftype, int fd, unsigned long int *ftoffset);
 int cli_ac_buildtrie(struct cl_node *root);
 void cli_ac_free(struct cl_node *root);
 

clamav-devel/libclamav/matcher.c

@@ -66,7 +66,7 @@ int cli_scanbuff(const char *buffer, unsigned int length, const char **virname,
     }
 
     if((ret = cli_bm_scanbuff(buffer, length, virname, root, 0, ftype, -1)) != CL_VIRUS)
-	ret = cli_ac_scanbuff(buffer, length, virname, root, partcnt, 0, 0, partoff, ftype, -1);
+	ret = cli_ac_scanbuff(buffer, length, virname, root, partcnt, 0, 0, partoff, ftype, -1, NULL);
 
     free(partcnt);
     free(partoff);
@@ -237,7 +237,7 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off
     return 1;
 }
 
-int cli_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, short otfrec, unsigned short ftype)
+int cli_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, short otfrec, unsigned short ftype, unsigned long int *ftoffset)
 {
  	char *buffer, *buff, *endbl, *pt;
 	int bytes, buffsize, length, ret, *partcnt, type = CL_CLEAN;
@@ -293,7 +293,7 @@ int cli_scandesc(int desc, const char **virname, long int *scanned, const struct
 	    length -= SCANBUFF - bytes;
 
 	if(cli_bm_scanbuff(pt, length, virname, root, offset, ftype, desc) == CL_VIRUS ||
-	   (ret = cli_ac_scanbuff(pt, length, virname, root, partcnt, otfrec, offset, partoff, ftype, desc)) == CL_VIRUS) {
+	   (ret = cli_ac_scanbuff(pt, length, virname, root, partcnt, otfrec, offset, partoff, ftype, desc, ftoffset)) == CL_VIRUS) {
 	    free(buffer);
 	    free(partcnt);
 	    free(partoff);

clamav-devel/libclamav/matcher.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2002 - 2004 Tomasz Kojm <tkojm@clamav.net>
+ *  Copyright (C) 2002 - 2005 Tomasz Kojm <tkojm@clamav.net>
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -21,7 +21,7 @@
 
 #include "clamav.h"
 
-int cli_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, short otfrec, unsigned short ftype);
+int cli_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, short otfrec, unsigned short ftype, unsigned long int *ftoffset);
 
 int cli_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_node *root, unsigned short ftype);
 

clamav-devel/libclamav/scanners.c

@@ -189,7 +189,7 @@ static int cli_scanrar(int desc, const char **virname, long int *scanned, const
 	if(DETECT_ENCRYPTED && metadata->encrypted) {
 	    cli_dbgmsg("RAR: Encrypted files found in archive.\n");
 	    lseek(desc, 0, SEEK_SET);
-	    ret = cli_scandesc(desc, virname, scanned, root, 0, 0);
+	    ret = cli_scandesc(desc, virname, scanned, root, 0, 0, NULL);
 	    if(ret < 0) {
 		break;
 	    } else if(ret != CL_VIRUS) {
@@ -388,7 +388,7 @@ static int cli_scanzip(int desc, const char **virname, long int *scanned, const
 	if(DETECT_ENCRYPTED && encrypted) {
 	    cli_dbgmsg("Zip: Encrypted files found in archive.\n");
 	    lseek(desc, 0, SEEK_SET);
-	    ret = cli_scandesc(desc, virname, scanned, root, 0, 0);
+	    ret = cli_scandesc(desc, virname, scanned, root, 0, 0, NULL);
 	    if(ret < 0) {
 		break;
 	    } else if(ret != CL_VIRUS) {
@@ -1011,7 +1011,7 @@ static int cli_vba_scandir(const char *dirname, const char **virname, long int *
     if (fd >= 0) {
     	ofd = cli_decode_ole_object(fd, dirname);
 	if (ofd >= 0) {
-		ret = cli_scandesc(ofd, virname, scanned, root, 0, 0);
+		ret = cli_scandesc(ofd, virname, scanned, root, 0, 0, NULL);
 		close(ofd);
 	}
 	close(fd);
@@ -1077,7 +1077,7 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const
     snprintf(fullname, 1024, "%s/comment.html", tempname);
     fd = open(fullname, O_RDONLY);
     if (fd >= 0) {
-        ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML);
+        ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML, NULL);
 	close(fd);
     }
 
@@ -1092,7 +1092,7 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const
 	snprintf(fullname, 1024, "%s/nocomment.html", tempname);
 	fd = open(fullname, O_RDONLY);
 	if (fd >= 0) {
-	    ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML);
+	    ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML, NULL);
 	    close(fd);
 	}
     }
@@ -1108,7 +1108,7 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const
 	snprintf(fullname, 1024, "%s/script.html", tempname);
 	fd = open(fullname, O_RDONLY);
 	if (fd >= 0) {
-	    ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML);
+	    ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML, NULL);
 	    close(fd);
 	}
     }
@@ -1406,7 +1406,7 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const
 
     if(!options) { /* raw mode (stdin, etc.) */
 	cli_dbgmsg("Raw mode: No support for special files\n");
-	if((ret = cli_scandesc(desc, virname, scanned, root, 0, 0) == CL_VIRUS))
+	if((ret = cli_scandesc(desc, virname, scanned, root, 0, 0, NULL) == CL_VIRUS))
 	    cli_dbgmsg("%s found in descriptor %d\n", *virname, desc);
 	return ret;
     }
@@ -1538,13 +1538,22 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const
     type == CL_TYPE_MAIL ? mrec-- : arec--;
 
     if(type != CL_TYPE_DATA && ret != CL_VIRUS) { /* scan the raw file */
-	    int typerec;
+	    int ftrec;
+	    unsigned long int ftoffset;
+
+	switch(type) {
+	    case CL_TYPE_UNKNOWN_TEXT:
+	    case CL_TYPE_MSEXE:
+		ftrec = 1;
+		break;
+	    default:
+		ftrec = 0;
+	}
 
-	type == CL_TYPE_UNKNOWN_TEXT ? (typerec = 1) : (typerec = 0);
 	if(lseek(desc, 0, SEEK_SET) < 0)
 	    cli_errmsg("lseek() failed, trying to continue anyway...\n");
 
-	if((nret = cli_scandesc(desc, virname, scanned, root, typerec, type)) == CL_VIRUS) {
+	if((nret = cli_scandesc(desc, virname, scanned, root, ftrec, type, &ftoffset)) == CL_VIRUS) {
 	    cli_dbgmsg("%s found in descriptor %d.\n", *virname, desc);
 	    return CL_VIRUS;
 
@@ -1567,6 +1576,11 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const
 			if(cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS)
 			    return CL_VIRUS;
 		    break;
+
+		case CL_TYPE_RARSFX:
+		    if(SCAN_ARCHIVE)
+			cli_dbgmsg("RAR-SFX found at %d\n", ftoffset);
+		    break;
 	    }
 	    nret == CL_TYPE_MAIL ? mrec-- : arec--;
 	}