From 706c2943acf6cbd4df0e7267089d3fcfe8688abc Mon Sep 17 00:00:00 2001 From: Shawn Webb Date: Mon, 14 Jul 2014 13:43:00 -0400 Subject: [PATCH] Detect the PDF obfuscated name heuristic no matter if we care about the key being processed --- libclamav/pdf.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libclamav/pdf.c b/libclamav/pdf.c index 63a1dfac6..90c830fa8 100644 --- a/libclamav/pdf.c +++ b/libclamav/pdf.c @@ -1407,6 +1407,13 @@ static void handle_pdfname(struct pdf_struct *pdf, struct pdf_obj *obj, const ch } } + if (escapes) { + /* if a commonly used PDF name is escaped that is certainly + suspicious. */ + cli_dbgmsg("cli_pdf: pdfname %s is escaped\n", pdfname); + pdfobj_flag(pdf, obj, ESCAPED_COMMON_PDFNAME); + } + if (!act) { /* these are digital signature objects, filter doesn't matter, * we don't need them anyway */ @@ -1423,13 +1430,6 @@ static void handle_pdfname(struct pdf_struct *pdf, struct pdf_obj *obj, const ch act->pdf_stats_cb(pdf, obj, act); #endif - if (escapes) { - /* if a commonly used PDF name is escaped that is certainly - suspicious. */ - cli_dbgmsg("cli_pdf: pdfname %s is escaped\n", pdfname); - pdfobj_flag(pdf, obj, ESCAPED_COMMON_PDFNAME); - } - if (act->from_state == *state || act->from_state == STATE_ANY) { *state = act->to_state; @@ -3380,11 +3380,11 @@ static void Pages_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname if (!(pdf) || !(pdf->ctx->wrkproperty)) return; - objsz = obj_size(pdf, obj, 1); - if (!(pdf->ctx->options & CL_SCAN_FILE_PROPERTIES)) return; + objsz = obj_size(pdf, obj, 1); + pdfobj = cli_jsonobj(pdf->ctx->wrkproperty, "PDFStats"); if (!(pdfobj)) return;