Obey limits in unspin

git-svn: trunk@2418
19 years ago · 8865a4d626
parent 9e1eb24a5f
commit 8865a4d626
4 changed files with 64 additions and 22 deletions
--- a/clamav-devel/ChangeLog
+++ b/clamav-devel/ChangeLog
@ -1,3 +1,7 @@
+Thu Oct 19 20:27:06 CEST 2006 (acab)
+------------------------------------
+  * libclamav: obey limits in unspin - closes bug#81 (thanks Trog)
+
 Thu Oct 19 18:34:43 BST 2006 (njh)
 ----------------------------------
  * libclamav:	Added JavaScript scanning
--- a/clamav-devel/libclamav/pe.c
+++ b/clamav-devel/libclamav/pe.c
@ -1892,7 +1892,19 @@ int cli_scanpe(int desc, cli_ctx *ctx)
       EC32(optional_hdr32.AddressOfEntryPoint) < EC32(section_hdr[nsections - 1].VirtualAddress) + EC32(section_hdr[nsections - 1].SizeOfRawData) - 0x3217 - 4 &&
       memcmp(buff+4, "\xe8\x00\x00\x00\x00\x8b\x1c\x24\x83\xc3", 10) == 0)  {

-	    char *spinned;
+	char *spinned;
+	int spinres;
+	    
+	if(ctx->limits && ctx->limits->maxfilesize && fsize > ctx->limits->maxfilesize) {
+	    cli_dbgmsg("PEspin: Size exceeded (fsize: %u, max: %lu)\n", fsize, ctx->limits->maxfilesize);
+            free(section_hdr);
+	    if(BLOCKMAX) {
+		*ctx->virname = "PE.Pespin.ExceededFileSize";
+		return CL_VIRUS;
+	    } else {
+		return CL_CLEAN;
+	    }
+	}

 	if((spinned = (char *) cli_malloc(fsize)) == NULL) {
 	    free(section_hdr);
@ -1921,36 +1933,47 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	    return CL_EIO;
 	}

-	if(!unspin(spinned, fsize, section_hdr, nsections - 1, EC32(optional_hdr32.AddressOfEntryPoint), ndesc)) {
+	switch(unspin(spinned, fsize, section_hdr, nsections - 1, EC32(optional_hdr32.AddressOfEntryPoint), ndesc, ctx)) {
+	case 0:
 	    free(spinned);
-	    cli_dbgmsg("PESpin: Unpacked and rebuilt executable saved in %s\n", tempfile);
+	    if(cli_leavetemps_flag)
+		cli_dbgmsg("PESpin: Unpacked and rebuilt executable saved in %s\n", tempfile);
+	    else
+		cli_dbgmsg("PESpin: Unpacked and rebuilt executable\n");
 	    fsync(ndesc);
 	    lseek(ndesc, 0, SEEK_SET);
-
 	    if(cli_magic_scandesc(ndesc, ctx) == CL_VIRUS) {
-		free(section_hdr);
 		close(ndesc);
-		if(!cli_leavetemps_flag) {
+		if(!cli_leavetemps_flag)
 		    unlink(tempfile);
-		    free(tempfile);
-		} else {
-		    free(tempfile);
-		}
+	        free(tempfile);
+		free(section_hdr);
 		return CL_VIRUS;
 	    }
-
-	} else {
+	    close(ndesc);
+   	    if(!cli_leavetemps_flag)
+		unlink(tempfile);
+	    break;
+	case 1:
 	    free(spinned);
+	    close(ndesc);
+	    unlink(tempfile);
 	    cli_dbgmsg("PESpin: Rebuilding failed\n");
-	}
-
-	close(ndesc);
-	if(!cli_leavetemps_flag) {
+	    break;
+	case 2:
+	    free(spinned);
+	    close(ndesc);
 	    unlink(tempfile);
-	    free(tempfile);
-	} else {
-	    free(tempfile);
+	    cli_dbgmsg("PESpin: Size exceeded\n");
+	    if(BLOCKMAX) {
+		free(tempfile);
+		free(section_hdr);
+		*ctx->virname = "PE.Pespin.ExceededFileSize";
+		return CL_VIRUS;
+	    }
 	}
+	free(tempfile);
+	
    }


--- a/clamav-devel/libclamav/spin.c
+++ b/clamav-devel/libclamav/spin.c
@ -155,7 +155,7 @@ static uint32_t summit (char *src, int size)
 }


-int unspin(char *src, int ssize, struct pe_image_section_hdr *sections, int sectcnt, uint32_t nep, int desc) {
+int unspin(char *src, int ssize, struct pe_image_section_hdr *sections, int sectcnt, uint32_t nep, int desc, cli_ctx *ctx) {
  char *curr, *emu, *ep, *spinned;
  char **sects;
  int blobsz=0, j;
@ -371,6 +371,21 @@ int unspin(char *src, int ssize, struct pe_image_section_hdr *sections, int sect

  bitmap = cli_readint32(ep+0x3061);
  bitman = bitmap;
+
+  if(ctx->limits && ctx->limits->maxfilesize) {
+    unsigned long int filesize = 0;
+    
+    for (j=0; j<sectcnt; j++) {
+      if (bitmap&1) {
+	if ( filesize > ctx->limits->maxfilesize || (uint32_t)EC32(sections[j].VirtualSize) > ctx->limits->maxfilesize - filesize ) return 2;
+	filesize += (uint32_t)EC32(sections[j].VirtualSize);
+      }
+      bitmap>>=1;
+    }
+    
+    bitmap = bitman;
+  }
+
  cli_dbgmsg("spin: Compression bitmap is %x\n", bitmap);
  if ( (sects= (char **) cli_malloc(sectcnt*sizeof(char *))) == NULL )
    return 1;
@ -395,7 +410,7 @@ int unspin(char *src, int ssize, struct pe_image_section_hdr *sections, int sect
      sects[j] = src + EC32(sections[j].PointerToRawData);
      cli_dbgmsg("spin: Not growing sect%d\n", j);
    }
-    bitmap = bitmap >>1 & 0x7fffffff;
+    bitmap>>=1;
  }
  
  cli_dbgmsg("spin: decompression complete\n");
--- a/clamav-devel/libclamav/spin.h
+++ b/clamav-devel/libclamav/spin.h
@ -23,6 +23,6 @@
 #include "cltypes.h"
 #include "rebuildpe.h"

-int unspin(char *, int, struct pe_image_section_hdr *, int, uint32_t, int);
+int unspin(char *, int, struct pe_image_section_hdr *, int, uint32_t, int, cli_ctx *);

 #endif