[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-167-g4319a8f

tkojm tkojm at 77e5149b-7576-45b1-b177-96237e5ba77b
Fri Jun 12 19:11:44 UTC 2009


The following commit has been merged in the debian/unstable branch:
commit 08653586f821154ed944f4e011ade22dc21e62e3
Author: tkojm <tkojm at 77e5149b-7576-45b1-b177-96237e5ba77b>
Date:   Thu Apr 23 13:24:21 2009 +0000

    libclamav: call cli_checkfp() whenever possible/makes sense (bb#1558)
    
    
    git-svn-id: http://svn.clamav.net/svn/clamav-devel/trunk@5053 77e5149b-7576-45b1-b177-96237e5ba77b

diff --git a/ChangeLog b/ChangeLog
index 2546f77..9e4e1f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Thu Apr 23 15:23:02 CEST 2009 (tk)
+----------------------------------
+ * libclamav: call cli_checkfp() whenever possible/makes sense (bb#1558)
+
 Wed Apr 22 14:24:03 EEST 2009 (edwin)
 -------------------------------------
  * libclamav/special.c: tune sensitivity of Trojan.Swizzor.Gen
diff --git a/libclamav/elf.c b/libclamav/elf.c
index 36a5cea..2d8144a 100644
--- a/libclamav/elf.c
+++ b/libclamav/elf.c
@@ -37,6 +37,7 @@
 #include "elf.h"
 #include "clamav.h"
 #include "execs.h"
+#include "matcher.h"
 
 static inline uint16_t EC16(uint16_t v, uint8_t c)
 {
@@ -195,7 +196,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
         if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-            return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
         }
 	return CL_EFORMAT;
     }
@@ -208,7 +209,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 		if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    return CL_EFORMAT;
 	}
@@ -219,7 +220,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 		if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    return CL_CLEAN;
 	}
@@ -241,7 +242,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
 		if(DETECT_BROKEN) {
 		    if(ctx->virname)
 			*ctx->virname = "Broken.Executable";
-		    return CL_VIRUS;
+		    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 		}
 		return CL_CLEAN;
 	    }
@@ -262,7 +263,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 		if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    return CL_EFORMAT;
 	}
@@ -279,7 +280,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
         if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-            return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
         }
 	return CL_EFORMAT;
     }
@@ -290,7 +291,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
         if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-            return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
         }
 	return CL_EFORMAT;
     }
@@ -302,7 +303,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
         if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-            return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
         }
 	return CL_CLEAN;
     }
@@ -324,7 +325,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
             if(DETECT_BROKEN) {
                 if(ctx->virname)
                     *ctx->virname = "Broken.Executable";
-                return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
             }
             return CL_CLEAN;
         }
diff --git a/libclamav/matcher.c b/libclamav/matcher.c
index ba9557e..d12e6cc 100644
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@@ -204,26 +204,37 @@ off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_f
     return 0;
 }
 
-static int cli_checkfp(int fd, const struct cl_engine *engine)
+int cli_checkfp(int fd, cli_ctx *ctx)
 {
 	unsigned char *digest;
 	const char *virname;
+	off_t pos;
 
 
-    if(engine->md5_fp) {
+    if((pos = lseek(fd, 0, SEEK_CUR)) == -1) {
+	cli_errmsg("cli_checkfp(): lseek() failed\n");
+	return 0;
+    }
+
+    lseek(fd, 0, SEEK_SET);
+
+    if(ctx->engine->md5_fp) {
 	if(!(digest = cli_md5digest(fd))) {
 	    cli_errmsg("cli_checkfp(): Can't generate MD5 checksum\n");
+	    lseek(fd, pos, SEEK_SET);
 	    return 0;
 	}
 
-	if(cli_bm_scanbuff(digest, 16, &virname, engine->md5_fp, 0, 0, -1) == CL_VIRUS) {
-	    cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", virname);
+	if(cli_bm_scanbuff(digest, 16, &virname, ctx->engine->md5_fp, 0, 0, -1) == CL_VIRUS) {
+	    cli_dbgmsg("cli_checkfp(): Found false positive detection (fp sig: %s)\n", virname);
 	    free(digest);
+	    lseek(fd, pos, SEEK_SET);
 	    return 1;
 	}
 	free(digest);
     }
 
+    lseek(fd, pos, SEEK_SET);
     return 0;
 }
 
@@ -340,8 +351,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
 		    cli_ac_freedata(&gdata);
 		cli_ac_freedata(&tdata);
 
-		lseek(desc, 0, SEEK_SET);
-		if(cli_checkfp(desc, ctx->engine))
+		if(cli_checkfp(desc, ctx))
 		    return CL_CLEAN;
 		else
 		    return CL_VIRUS;
@@ -357,8 +367,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
 		cli_ac_freedata(&gdata);
 		if(troot)
 		    cli_ac_freedata(&tdata);
-		lseek(desc, 0, SEEK_SET);
-		if(cli_checkfp(desc, ctx->engine))
+		if(cli_checkfp(desc, ctx))
 		    return CL_CLEAN;
 		else
 		    return CL_VIRUS;
@@ -420,7 +429,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
 
     if(ret == CL_VIRUS) {
 	lseek(desc, 0, SEEK_SET);
-	if(cli_checkfp(desc, ctx->engine))
+	if(cli_checkfp(desc, ctx))
 	    return CL_CLEAN;
 	else
 	    return CL_VIRUS;
diff --git a/libclamav/matcher.h b/libclamav/matcher.h
index 1355d56..70d8a39 100644
--- a/libclamav/matcher.h
+++ b/libclamav/matcher.h
@@ -131,4 +131,6 @@ int cli_validatesig(cli_file_t ftype, const char *offstr, off_t fileoff, struct
 
 off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_file_t ftype, int *ret, unsigned int *maxshift);
 
+int cli_checkfp(int fd, cli_ctx *ctx);
+
 #endif
diff --git a/libclamav/pe.c b/libclamav/pe.c
index e140eb5..60d6b45 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -472,7 +472,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 	return CL_CLEAN;
     }
@@ -608,7 +608,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 	if(nsections)
 	    cli_warnmsg("PE file contains %d sections\n", nsections);
@@ -628,7 +628,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	if(DETECT_BROKEN) {
 	    if(ctx->virname)
 	        *ctx->virname = "Broken.Executable";
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 	return CL_CLEAN;
     }
@@ -638,7 +638,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	if(DETECT_BROKEN) {
 	    if(ctx->virname)
 	        *ctx->virname = "Broken.Executable";
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 	return CL_CLEAN;
     }
@@ -651,7 +651,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 	        if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    return CL_CLEAN;
 	}
@@ -667,7 +667,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 	        if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    cli_dbgmsg("9x compatibility mode\n");
 	}
@@ -709,7 +709,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 	        if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    return CL_CLEAN;
 	}
@@ -790,14 +790,14 @@ int cli_scanpe(int desc, cli_ctx *ctx)
         cli_dbgmsg("Bad virtual alignemnt\n");
         if(ctx->virname)
 	    *ctx->virname = "Broken.Executable";
-	return CL_VIRUS;
+	return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
     }
 
     if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
         cli_dbgmsg("Bad file alignemnt\n");
 	if(ctx->virname)
 	    *ctx->virname = "Broken.Executable";
-	return CL_VIRUS;
+	return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
     }
 
     if(fstat(desc, &sb) == -1) {
@@ -833,7 +833,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 	return CL_CLEAN;
     }
@@ -902,7 +902,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	        *ctx->virname = "Broken.Executable";
 	    free(section_hdr);
 	    free(exe_sections);
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 
 	if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
@@ -913,7 +913,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		if(DETECT_BROKEN) {
 		    if(ctx->virname)
 		        *ctx->virname = "Broken.Executable";
-		    return CL_VIRUS;
+		    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 		}
 		return CL_CLEAN; /* no ninjas to see here! move along! */
 	    }
@@ -928,16 +928,11 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		    if(md5_sect->soff[j] == exe_sections[i].rsz) {
 			unsigned char md5_dig[16];
 			if(cli_md5sect(desc, &exe_sections[i], md5_dig) && cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_mdb, 0, 0, -1) == CL_VIRUS) {
-			    /* Since .mdb sigs are not fp-prone, to save
-			     * performance we don't call cli_checkfp() here,
-			     * just give the possibility of whitelisting
-			     * idividual .mdb entries via daily.fp
-			     */
 			    if(cli_bm_scanbuff(md5_dig, 16, NULL, ctx->engine->md5_fp, 0, 0, -1) != CL_VIRUS) {
 
 				free(section_hdr);
 				free(exe_sections);
-				return CL_VIRUS;
+				return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 			    }
 			}
 			break;
@@ -953,7 +948,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	    if(DETECT_BROKEN) {
 	        if(ctx->virname)
 		    *ctx->virname = "Broken.Executable";
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    return CL_CLEAN;
 	}
@@ -965,7 +960,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		    *ctx->virname = "Broken.Executable";
 		free(section_hdr);
 		free(exe_sections);
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    min = exe_sections[i].rva;
 	    max = exe_sections[i].rva + exe_sections[i].rsz;
@@ -976,7 +971,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		    *ctx->virname = "Broken.Executable";
 		free(section_hdr);
 		free(exe_sections);
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	    if(exe_sections[i].rva < min)
 	        min = exe_sections[i].rva;
@@ -994,7 +989,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	if(DETECT_BROKEN) {
 	    if(ctx->virname)
 		*ctx->virname = "Broken.Executable";
-	    return CL_VIRUS;
+	    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	}
 	return CL_CLEAN;
     }
@@ -1031,7 +1026,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	    if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
 	        *ctx->virname = "W32.Parite.B";
 		free(exe_sections);
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	}
     }
@@ -1114,7 +1109,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
 		    *ctx->virname = "W32.Kriz";
 		    free(exe_sections);
-		    return CL_VIRUS;
+		    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 		}
 		cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
 		kzstate++;
@@ -1141,7 +1136,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
 		    *ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
 		    free(exe_sections);
-		    return CL_VIRUS;
+		    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 		} 
 	    }
 
@@ -1153,7 +1148,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
 		    *ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
 		    free(exe_sections);
-		    return CL_VIRUS;
+		    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 		} 
 	    }
 	}
@@ -1211,7 +1206,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		*ctx->virname = "W32.Polipos.A";
 		free(jumps);
 		free(exe_sections);
-		return CL_VIRUS;
+		return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 	    }
 	}
 	free(jumps);
@@ -1236,6 +1231,8 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		    }
 		    if (ret != CL_CLEAN) {
 			    free(exe_sections);
+			    if(ret == CL_VIRUS)
+				return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
 			    return ret;
 		    }
 	    }
diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index 164af75..0d17870 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -245,7 +245,7 @@ static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx
 
     if(mdata) {
 	*ctx->virname = mdata->virname;
-	return CL_VIRUS;	   
+	return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
     }
 
     if(DETECT_ENCRYPTED && metadata->encrypted) {
@@ -1336,13 +1336,15 @@ static int cli_scanscrenc(int desc, cli_ctx *ctx)
     return ret;
 }
 
-static int cli_scanriff(int desc, const char **virname)
+static int cli_scanriff(int desc, cli_ctx *ctx)
 {
 	int ret = CL_CLEAN;
 
     if(cli_check_riff_exploit(desc) == 2) {
-	ret = CL_VIRUS;
-	*virname = "Exploit.W32.MS05-002";
+	if(!cli_checkfp(desc, ctx)) {
+	    ret = CL_VIRUS;
+	    *ctx->virname = "Exploit.W32.MS05-002";
+	}
     }
 
     return ret;
@@ -1353,8 +1355,10 @@ static int cli_scanjpeg(int desc, cli_ctx *ctx)
 	int ret = CL_CLEAN;
 
     if(cli_check_jpeg_exploit(desc, ctx) == 1) {
-	ret = CL_VIRUS;
-	*ctx->virname = "Exploit.W32.MS04-028";
+	if(!cli_checkfp(desc, ctx)) {
+	    ret = CL_VIRUS;
+	    *ctx->virname = "Exploit.W32.MS04-028";
+	}
     }
 
     return ret;
@@ -1614,13 +1618,13 @@ static int cli_scan_structured(int desc, cli_ctx *ctx)
     if(cc_count != 0 && cc_count >= ctx->engine->min_cc_count) {
 	cli_dbgmsg("cli_scan_structured: %u credit card numbers detected\n", cc_count);
 	*ctx->virname = "Structured.CreditCardNumber";
-	return CL_VIRUS;
+	return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
     }
 
     if(ssn_count != 0 && ssn_count >= ctx->engine->min_ssn_count) {
 	cli_dbgmsg("cli_scan_structured: %u social security numbers detected\n", ssn_count);
 	*ctx->virname = "Structured.SSN";
-	return CL_VIRUS;
+	return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
     }
 
     return CL_CLEAN;
@@ -2025,7 +2029,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
 
 	case CL_TYPE_RIFF:
 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_RIFF))
-		ret = cli_scanriff(desc, ctx->virname);
+		ret = cli_scanriff(desc, ctx);
 	    break;
 
 	case CL_TYPE_GRAPHICS:
@@ -2055,7 +2059,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
 
 	case CL_TYPE_BINARY_DATA:
 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_MYDOOMLOG))
-		ret = cli_check_mydoom_log(desc, ctx->virname);
+		ret = cli_check_mydoom_log(desc, ctx);
 	    break;
 
 	case CL_TYPE_TEXT_ASCII:
diff --git a/libclamav/special.c b/libclamav/special.c
index 232d1a9..7241f2a 100644
--- a/libclamav/special.c
+++ b/libclamav/special.c
@@ -39,6 +39,7 @@
 #include "others.h"
 #include "cltypes.h"
 #include "special.h"
+#include "matcher.h"
 
 /* NOTE: Photoshop stores data in BIG ENDIAN format, this is the opposite
 	to virtually everything else */
@@ -46,7 +47,7 @@
 #define special_endian_convert_16(v) be16_to_host(v)
 #define special_endian_convert_32(v) be32_to_host(v)
 
-int cli_check_mydoom_log(int desc, const char **virname)
+int cli_check_mydoom_log(int desc, cli_ctx *ctx)
 {
 	int32_t record[8], check;
 	int i, retval=CL_VIRUS, j;
@@ -78,8 +79,9 @@ int cli_check_mydoom_log(int desc, const char **virname)
     if (j < 2) {
 	retval = CL_CLEAN;
     } else if (retval==CL_VIRUS) {
-	if(virname)
-	    *virname = "Worm.Mydoom.M.log";
+	if(cli_checkfp(desc, ctx))
+	    return CL_CLEAN;
+	*ctx->virname = "Worm.Mydoom.M.log";
     }
 
     return retval;
diff --git a/libclamav/special.h b/libclamav/special.h
index 55d8a51..41b9644 100644
--- a/libclamav/special.h
+++ b/libclamav/special.h
@@ -33,7 +33,7 @@ struct swizz_stats {
 	int entries;
 };
 
-int cli_check_mydoom_log(int desc, const char **virname);
+int cli_check_mydoom_log(int desc, cli_ctx *ctx);
 int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
 int cli_check_riff_exploit(int fd);
 void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob);
diff --git a/libclamav/unzip.c b/libclamav/unzip.c
index 162f0ac..aec537c 100644
--- a/libclamav/unzip.c
+++ b/libclamav/unzip.c
@@ -317,7 +317,7 @@ static int unz(uint8_t *src, uint32_t csize, uint32_t usize, uint16_t method, ui
   return ret;
 }
 
-static unsigned int lhdr(uint8_t *zip, uint32_t zsize, unsigned int *fu, unsigned int fc, uint8_t *ch, int *ret, cli_ctx *ctx, char *tmpd) {
+static unsigned int lhdr(uint8_t *zip, uint32_t zsize, unsigned int *fu, unsigned int fc, uint8_t *ch, int *ret, cli_ctx *ctx, char *tmpd, int fd) {
   uint8_t *lh = zip;
   char name[256];
   uint32_t csize, usize;
@@ -364,8 +364,12 @@ static unsigned int lhdr(uint8_t *zip, uint32_t zsize, unsigned int *fu, unsigne
 	 )
 	) meta = meta->next;
   if(meta) {
-    *ctx->virname = meta->virname;
-    *ret = CL_VIRUS;
+    if(!cli_checkfp(fd, ctx)) {
+      *ctx->virname = meta->virname;
+      *ret = CL_VIRUS;
+    } else
+      *ret = CL_CLEAN;
+
     return 0;
   }
 
@@ -427,7 +431,7 @@ static unsigned int lhdr(uint8_t *zip, uint32_t zsize, unsigned int *fu, unsigne
 }
 
 
-static unsigned int chdr(uint8_t *zip, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd) {
+static unsigned int chdr(uint8_t *zip, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, int fd) {
   uint8_t *ch = &zip[coff];
   char name[256];
   int last = 0;
@@ -465,7 +469,7 @@ static unsigned int chdr(uint8_t *zip, uint32_t coff, uint32_t zsize, unsigned i
   coff+=CH_clen;
 
   if(CH_off<zsize-SIZEOF_LH) {
-    lhdr(&zip[CH_off], zsize-CH_off, fu, fc, ch, ret, ctx, tmpd);
+    lhdr(&zip[CH_off], zsize-CH_off, fu, fc, ch, ret, ctx, tmpd, fd);
   } else cli_dbgmsg("cli_unzip: ch - local hdr out of file\n");
   return last?0:coff;
 }
@@ -535,7 +539,7 @@ int cli_unzip(int f, cli_ctx *ctx) {
 
   if(coff) {
     cli_dbgmsg("cli_unzip: central @%x\n", coff);
-    while(ret==CL_CLEAN && (coff=chdr(map, coff, fsize, &fu, fc+1, &ret, ctx, tmpd))) {
+    while(ret==CL_CLEAN && (coff=chdr(map, coff, fsize, &fu, fc+1, &ret, ctx, tmpd, f))) {
       fc++;
       if (ctx->engine->maxfiles && fu>=ctx->engine->maxfiles) {
 	cli_dbgmsg("cli_unzip: Files limit reached (max: %u)\n", ctx->engine->maxfiles);
@@ -545,7 +549,7 @@ int cli_unzip(int f, cli_ctx *ctx) {
   } else cli_dbgmsg("cli_unzip: central not found, using localhdrs\n");
   if(fu<=(fc/4)) { /* FIXME: make up a sane ratio or remove the whole logic */
     fc = 0;
-    while (ret==CL_CLEAN && lhoff<fsize && (coff=lhdr(&map[lhoff], fsize-lhoff, &fu, fc+1, NULL, &ret, ctx, tmpd))) {
+    while (ret==CL_CLEAN && lhoff<fsize && (coff=lhdr(&map[lhoff], fsize-lhoff, &fu, fc+1, NULL, &ret, ctx, tmpd, f))) {
       fc++;
       lhoff+=coff;
       if (ctx->engine->maxfiles && fu>=ctx->engine->maxfiles) {
@@ -602,7 +606,7 @@ int cli_unzip_single(int f, cli_ctx *ctx, off_t lhoffl) {
     return CL_EREAD;
   }
 #endif
-  lhdr(&map[lhoffl], fsize, &fu, 0, NULL, &ret, ctx, NULL);
+  lhdr(&map[lhoffl], fsize, &fu, 0, NULL, &ret, ctx, NULL, f);
 
   destroy_map(map, st.st_size);
   return ret;

-- 
Debian repository for ClamAV



More information about the Pkg-clamav-commits mailing list