From 706c2943acf6cbd4df0e7267089d3fcfe8688abc Mon Sep 17 00:00:00 2001
From: Shawn Webb <swebb@sourcefire.com>
Date: Mon, 14 Jul 2014 13:43:00 -0400
Subject: [PATCH] Detect the PDF obfuscated name heuristic no matter if we care
 about the key being processed

---
 libclamav/pdf.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/libclamav/pdf.c b/libclamav/pdf.c
index 63a1dfac6..90c830fa8 100644
--- a/libclamav/pdf.c
+++ b/libclamav/pdf.c
@@ -1407,6 +1407,13 @@ static void handle_pdfname(struct pdf_struct *pdf, struct pdf_obj *obj, const ch
         }
     }
 
+    if (escapes) {
+        /* if a commonly used PDF name is escaped that is certainly
+           suspicious. */
+        cli_dbgmsg("cli_pdf: pdfname %s is escaped\n", pdfname);
+        pdfobj_flag(pdf, obj, ESCAPED_COMMON_PDFNAME);
+    }
+
     if (!act) {
         /* these are digital signature objects, filter doesn't matter,
          * we don't need them anyway */
@@ -1423,13 +1430,6 @@ static void handle_pdfname(struct pdf_struct *pdf, struct pdf_obj *obj, const ch
         act->pdf_stats_cb(pdf, obj, act);
 #endif
 
-    if (escapes) {
-        /* if a commonly used PDF name is escaped that is certainly
-           suspicious. */
-        cli_dbgmsg("cli_pdf: pdfname %s is escaped\n", pdfname);
-        pdfobj_flag(pdf, obj, ESCAPED_COMMON_PDFNAME);
-    }
-
     if (act->from_state == *state || act->from_state == STATE_ANY) {
         *state = act->to_state;
 
@@ -3380,11 +3380,11 @@ static void Pages_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname
     if (!(pdf) || !(pdf->ctx->wrkproperty))
         return;
 
-    objsz = obj_size(pdf, obj, 1);
-
     if (!(pdf->ctx->options & CL_SCAN_FILE_PROPERTIES))
         return;
 
+    objsz = obj_size(pdf, obj, 1);
+
     pdfobj = cli_jsonobj(pdf->ctx->wrkproperty, "PDFStats");
     if (!(pdfobj))
         return;