[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b

aCaB acab at clamav.net
Sun Apr 4 01:08:08 UTC 2010


The following commit has been merged in the debian/unstable branch:
commit fc355be43288271249dede07c07e50a0d94bfca9
Author: aCaB <acab at clamav.net>
Date:   Fri Oct 23 20:49:12 2009 +0200

    unarj leaks

diff --git a/ChangeLog b/ChangeLog
index c9ef7da..4962902 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Fri Oct 23 20:48:12 CEST 2009 (acab)
+------------------------------------
+ * libclamav/unarj: fix error path leaks and valgrind warnings
+
 Wed Oct 21 17:50:05 CEST 2009 (acab)
 ------------------------------------
  * win32: introduce safe_open() (sic!)
diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index aba235a..2ee46e5 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -381,15 +381,16 @@ static int cli_scanarj(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c
 	return ret;
     }
     
-   metadata.filename = NULL;
-
    do {
+        metadata.filename = NULL;
 	ret = cli_unarj_prepare_file(desc, dir, &metadata);
 	if (ret != CL_SUCCESS) {
 	   break;
 	}
 	if ((ret = cli_checklimits("ARJ", ctx, metadata.orig_size, metadata.comp_size, 0))!=CL_CLEAN) {
 	    ret = CL_SUCCESS;
+	    if (metadata.filename)
+		free(metadata.filename);
 	    continue;
 	}
 	ret = cli_unarj_extract_file(desc, dir, &metadata);
@@ -400,6 +401,10 @@ static int cli_scanarj(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_c
 	    if (rc == CL_VIRUS) {
 		cli_dbgmsg("ARJ: infected with %s\n",*ctx->virname);
 		ret = CL_VIRUS;
+		if (metadata.filename) {
+		    free(metadata.filename);
+		    metadata.filename = NULL;
+		}
 		break;
 	    }
 	}
diff --git a/libclamav/unarj.c b/libclamav/unarj.c
index 7e510fd..bd2eb49 100644
--- a/libclamav/unarj.c
+++ b/libclamav/unarj.c
@@ -408,7 +408,7 @@ static int read_c_len(arj_decode_t *decode_data)
 				mask = 1 << 7;
 				do {
 					if (c >= (2 * NC - 1)) {
-						cli_warnmsg("ERROR: bounds exceeded\n");
+						cli_dbgmsg("ERROR: bounds exceeded\n");
 						decode_data->status = CL_EFORMAT;
 						return CL_EFORMAT;
 					}
@@ -442,7 +442,7 @@ static int read_c_len(arj_decode_t *decode_data)
 				}		
 				while (--c >= 0) {
 					if (i >= NC) {
-						cli_warnmsg("ERROR: bounds exceeded\n");
+						cli_dbgmsg("ERROR: bounds exceeded\n");
 						decode_data->status = CL_EFORMAT;
 						return CL_EFORMAT;
 					}
@@ -450,7 +450,7 @@ static int read_c_len(arj_decode_t *decode_data)
 				}
 			} else {
 				if (i >= NC) {
-					cli_warnmsg("ERROR: bounds exceeded\n");
+					cli_dbgmsg("ERROR: bounds exceeded\n");
 					decode_data->status = CL_EFORMAT;
 					return CL_EFORMAT;
 				}
@@ -484,7 +484,7 @@ static uint16_t decode_c(arj_decode_t *decode_data)
 		mask = 1 << 3;
 		do {
 			if (j >= (2 * NC - 1)) {
-				cli_warnmsg("ERROR: bounds exceeded\n");
+				cli_dbgmsg("ERROR: bounds exceeded\n");
 				decode_data->status = CL_EUNPACK;
 				return 0;
 			}
@@ -509,7 +509,7 @@ static uint16_t decode_p(arj_decode_t *decode_data)
 		mask = 1 << 7;
 		do {
 			if (j >= (2 * NC - 1)) {
-				cli_warnmsg("ERROR: bounds exceeded\n");
+				cli_dbgmsg("ERROR: bounds exceeded\n");
 				decode_data->status = CL_EUNPACK;
 				return 0;
 			}
@@ -537,7 +537,8 @@ static int decode(int fd, arj_metadata_t *metadata)
 	uint32_t count=0, out_ptr=0;
 	int16_t chr, i, j;
 
-	decode_data.text = (unsigned char *) cli_malloc(DDICSIZ);
+	memset(&decode_data, 0, sizeof(decode_data));
+	decode_data.text = (unsigned char *) cli_calloc(DDICSIZ, 1);
 	if (!decode_data.text) {
 		return CL_EMEM;
 	}
@@ -569,7 +570,7 @@ static int decode(int fd, arj_metadata_t *metadata)
 				i += DDICSIZ;
 			}
 			if ((i >= DDICSIZ) || (i < 0)) {
-				cli_warnmsg("UNARJ: bounds exceeded - probably a corrupted file.\n");
+				cli_dbgmsg("UNARJ: bounds exceeded - probably a corrupted file.\n");
 				break;
 			}
 			if (out_ptr > i && out_ptr < DDICSIZ - MAXMATCH - 1) {
@@ -661,7 +662,8 @@ static int decode_f(int fd, arj_metadata_t *metadata)
 	int16_t chr, i, j, pos;
 
 	dd = &decode_data;
-	decode_data.text = (unsigned char *) cli_malloc(DDICSIZ);
+	memset(&decode_data, 0, sizeof(decode_data));
+	decode_data.text = (unsigned char *) cli_calloc(DDICSIZ, 1);
 	if (!decode_data.text) {
 		return CL_EMEM;
 	}
@@ -707,7 +709,7 @@ static int decode_f(int fd, arj_metadata_t *metadata)
 				i += DDICSIZ;
 			}
 			if ((i >= DDICSIZ) || (i < 0)) {
-				cli_warnmsg("UNARJ: bounds exceeded - probably a corrupted file.\n");
+				cli_dbgmsg("UNARJ: bounds exceeded - probably a corrupted file.\n");
 				break;
 			}
 			while (j-- > 0) {
@@ -979,12 +981,18 @@ static int arj_read_file_header(int fd, arj_metadata_t *metadata)
 
 	/* Skip CRC */
 	if (lseek(fd, (off_t) 4, SEEK_CUR) == -1) {
+		if(metadata->filename)
+		    free(metadata->filename);
+		metadata->filename = NULL;
 		return CL_EFORMAT;
 	}
 	
 	/* Skip past any extended header data */
 	for (;;) {
 		if (cli_readn(fd, &count, 2) != 2) {
+			if(metadata->filename)
+			    free(metadata->filename);
+			metadata->filename = NULL;
 			return CL_EFORMAT;
 		}
 		count = le16_to_host(count);
@@ -994,6 +1002,9 @@ static int arj_read_file_header(int fd, arj_metadata_t *metadata)
 		}
 		/* Skip extended header + 4byte CRC */
 		if (lseek(fd, (off_t) (count + 4), SEEK_CUR) == -1) {
+			if(metadata->filename)
+			    free(metadata->filename);
+			metadata->filename = NULL;
 			return CL_EFORMAT;
 		}
 	}

-- 
Debian repository for ClamAV



More information about the Pkg-clamav-commits mailing list