Output partially extracted blocks in pdf.

Sometimes PDF claims the zlib data is longer/shorter than it really is. We always prefer the longest one, which can lead zlib to return an error when we run off the end. So dump the remaining extracted data from zlib's buffer to disk, it usually contains all we need already (and if not we're going to dump the raw inflate stream anyway). This fixes 3 missed samples of Exploit.PDF-60 in the regression test.
15 years ago · 89590e9974
parent 1bb5a24d3e
commit 89590e9974
1 changed files with 11 additions and 1 deletions
--- a/libclamav/pdf.c
+++ b/libclamav/pdf.c
@ -307,11 +307,11 @@ static int filter_flatedecode(struct pdf_struct *pdf, struct pdf_obj *obj,

    nbytes = 0;
    while(stream.avail_in) {
+	int written;
 	zstat = inflate(&stream, Z_NO_FLUSH);	/* zlib */
 	switch(zstat) {
 	    case Z_OK:
 		if(stream.avail_out == 0) {
-		    int written;
 		    if ((written=filter_writen(pdf, obj, fout, output, sizeof(output), sum))!=sizeof(output)) {
 			cli_errmsg("cli_pdf: failed to write output file\n");
 			inflateEnd(&stream);
@ -325,6 +325,16 @@ static int filter_flatedecode(struct pdf_struct *pdf, struct pdf_obj *obj,
 	    case Z_STREAM_END:
 		break;
 	    default:
+		written = sizeof(output) - stream.avail_out;
+		if (filter_writen(pdf, obj, fout, output, written, sum)!=written) {
+		    cli_errmsg("cli_pdf: failed to write output file\n");
+		    inflateEnd(&stream);
+		    return CL_EWRITE;
+		}
+		nbytes += written;
+		stream.next_out = (Bytef *)output;
+		stream.avail_out = sizeof(output);
+
 		if(stream.msg)
 		    cli_dbgmsg("cli_pdf: after writing %lu bytes, got error \"%s\" inflating PDF stream in %u %u obj\n",
 			       (unsigned long)nbytes,