From 9b82f82b6bc125e6606fcae108056446e702afdf Mon Sep 17 00:00:00 2001 From: Tomasz Kojm Date: Fri, 9 Mar 2007 03:29:28 +0000 Subject: [PATCH] add support for floating offsets git-svn: trunk@2922 --- ChangeLog | 6 ++++++ docs/signatures.pdf | Bin 22362 -> 23478 bytes docs/signatures.tex | 11 ++++++++++- libclamav/matcher-ncore.c | 13 +++++++++---- libclamav/matcher.c | 18 ++++++++++++++---- libclamav/matcher.h | 4 ++-- 6 files changed, 41 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 411ae1688..2d1346ad1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Fri Mar 9 02:34:11 CET 2007 (tk) +--------------------------------- + * libclamav/matcher.c: add support for floating offsets, requested by + Christoph + * docs: update signatures.pdf + Thu Mar 8 22:45:39 CET 2007 (tk) --------------------------------- * libclamav/matcher-ac.c: fix incorrect calculation of maxshift in some cases diff --git a/docs/signatures.pdf b/docs/signatures.pdf index c7edb05f0b6cd0b698b57b4ffacfc602645fa95d..9b6faf5551b7a106ca1d93125e866ef1c6c391e4 100644 GIT binary patch delta 12075 zcmZvAWmH_zx+D_ZCAhmJKm$!Tgy8P(?(R;Yad&rjcXx*b2oT&oxO*UzcV}j;yOMW) z?NeK7SAAQ~`BrM6TUw#(GD#s?()J`EZ20@KuW!Naw(<>g+b@O&7)W_w#Jy$^+3E0= zA&qoH{j9_Sb;_Gh#HslE<*XyJ=pZxup~Ap&iV{Yq_ug$cybO4gfTRA)W4Lx!&SJ;Mvtp2E12j*H>VZ*UR` zWcQkgXI5vPu3Y$aB8=J)-R+&s^SIRQ2$CdYSH;KC{n|Vwao~#0w%OOhzc7#_lVFF2UcrH4NY@@M|aKr8Eqky zQ)6OV^7jZk2mK%0_`IlCn79W92rQRNxg!gk+j=JVR-Nap8N^z6cyPH`cwbhD5WDy3 z5rGW{RdYA0c0~qpYERfn*ul)DUSEmK%SsxkJ=@Bx)J2O)cb%_~eRc}3z6;Gs7y4xq za0~wQJg?pc)F9zQ^jtuCmrxioT=>7W$usdesf=8R%*y8YcIXzDeF0u?NR_xh$2*T> z{r3a>hyxH`Z!o2#77}QY?FFIPP>ucHtux+vYn<`cyAllxMXp$Na9jPfRy-RDDi+O_ zF=kAn8bV02aJN0E7B=4B+Ut2OhC4o`@gQgQC7y-o}4#p6k z^o&}yyVt%7CeHdiyxkjlp@+BW6U_SI#?;XxkTvTNd*@V_1BJ095i=wf+%>Yzh(11I z?|5GY?)oSNX=6ryDSkYMMc>@LL_wcc9Pm1~CS5aBT{|HQ6#vO@u&z4u%TpVKEtq+Q8p}zCPU*taAK>QlX9q*0#weuthk2nQ*G^Kf{ zKh{MtepGrV2~`m~}OA78N5#mr3I(t%-6HNl&$WPNO|pl-J73LU(+6j(yF+;I8u0`MrV;;3W~& z0h=3TC|PQ}f{H5r`BS&oeD4al>3g`icHRu8sX?6<_ekd1?+p|tIA{xX;}r9cwf;h< z`u*oyeFD8|MPOtT(KZjI{4H5Ku60)EklVaSJIJboQr?W+L*n(0@>xXpC@w)%8FaxZNy$W?d23S*ThY} z78KOL18PxAeLIlIL*Jz<+;3LG^wP5@551tgy$XFm7uGdK{i#p1L|mr`Zm@)~-_CI11}7GoHv91iZRHC zm|P?ATh^`kj?r+-J|ZJNk=_l*(O?PMl}{w^Gpgq;;nYS<+_kO9YFS>4NpF(HCT)(xc5GWq`SFp>2v`xx(2$MVa2W;;8u>@QWxuw=KITD_c5`s{zWr1~CbMH6 z21$TID56Ew+j`MY)h$|fU9cWCjrjzWYF~X7F|)cDE0vCZORakcqNYaI*cAm7%nqvb z?WwUGjHGRHIsJVz&Q7vgiuQafH+ghL?D$GkKO}7F4X^&yJWF@WVZFERJ><%jlsCyv zNTvIzP}U-Zc5_=LrR?O)KtiwP3sn~yRDjqxgT%Wv(hcDioSlg@{wE_w#( z>EnmXq9`%sxw?+{%`x~Unj!iM0uiB=xBUh}!huPe-L0v}TnPq( z?JVfh6Hf?FSSUSk3bXcVjj2{PCmqZ(h42|YEf z^qRO>lYQ*6%PVCO?9HZaI}?sU3otqbr05) zg7R@qWU?nLPL$|G0r16$q~<;Ls8aAWHrlA@3BP|3&?Nkp2edKMhmkYxk!?#zirTSU zvYy+d47qdRb3}`67D80Xa-dm1)ekA`JB93ZoVQBTP)UE2#e;PD&o69&J`?+%QbZ9! zgP@?O(ew@srS{+^41t<=vF!)`sA*&dj6Df~sgO2~ORF8avx_mUjL2^l(|wl7AE0nQ zJW?|&znd*$xVu)nd26LhbW&6fiMl1p3Z+shXea@a; zq_xp2cHIVC$dVXQM=Iq6}`s2+g%iY*e4yuh097+>zt7m7# z`Vl_$^GE0_TEyhdN>+5 zykXkfnpu80q2>wcwaZlgOvtWysXtn(SH!)qTD2cGP-2LeC)IL(RLxlSqlw)Y?`O4w zE{s|@2Pq528|?45cY4kugo)+!#IT$o&csoAAqcUqJxME;#pdm7uS2YRi+$%Wy4REz zyO{zxWo-$6I-fXsb4@=Q<^+<}C(76Ebjs9E!YmKxG^>`#{cQcTp@UCvTd#FLKh^)d zvVVj)d)~g_PkfxRi+vu}-`ZTB!4Rja(Lnue%YqL9hp75eir`1ZNA50)TekWE8*aR| zy&yA^-QXVHXS=6)t9AF9i{|*Rk@H%v-ROeb3R>M=h3TNm=AT`23#_e|GmlgEZk`PZ z*|UN#`^?X8Zu_6Mi`Bo9?~Wm4KBQ4>-?UxdNew74BT&z9GbihA3{1#rAHmtc{44>% zl9gc4`EntnyIyMcO>D68V-Cq~u%CCA#6kvLzhM66ej~F3GQhx^re z<;#2rPa&iu9P<|wUmsdm@CivS%zdwJIST_l(0mmsH1o+#j$S7^a|*u6ZxC+vrUbJ1 zBxhTbN^WZrx4~_oN^m7Bl2Vd4E0M*9S+DK{hF8~H<^dP=E)&xRMZ2Ub9VY%sNP;oLk%@q2r*QS>K7j~17C%_T*<5NR(V54EXDYf}{~%Lc@Nycu!D`(u zaD4O+VLfuQx46#=skQW25)C{Fx`e|!43<^yK1N+jCk|%-b{}y0jg!t1lz5p>Hm}Jr zIKcFi8PF$qzVCpVATZp@L6-PYy|D6i$}4a~#Q(^dP(oix^$l zEYv?kD--?9^`4+^SPTwV(0%r)%ug&R&gJs6v+rT>&8{$#cCv=v0I-unP%-_S9ig3& zUeGKlz>+u^*Fm}GGRTv3{92rsZuT{QLlHVbE9I@oAt%20*TCwma*CR5tdi#Y*Fx7i zWxSHIS#+*0+TxWBWgi9ZzF-LMp`)mw+Z)BNWKM$^evY@VqnvA|hEzeRoZflCfQcni zn%OOquEycyoII8B8jK7f+L8%UWMKtC&-P3mBAYV!i($h^ta4NNGQNCGXGCM5fQul0 zTso{l%60)zre_}Bud>~~JGY`>hjCC%?HR)%SUH!hrGOjcFV1fQMF6>!*0D6q6r?&_ z_7zZpN54DUqIsupWpPx>5bgq`ln__0*qKEQZpN9D9ytqgIhnNE)#+RqdG33#PusGlw-z8a?s4z1L~Rs?$35j$ z$$MhE+6^Rvy&58I@qJR^oMh8wK$<_PBq7q{xT zO;T)aP|FTYMMDWqe*xVIP%~m%zMor3EfmuWno|c2CDH2*5>7v}%FTqW zcdUpjIV=)W7LRGf5hpXJkKvsn+Z$_yACF@r;BDO%ML(F3Xecd*4tLXeZpot+iOf!n zXzyk+jM+48u7u#uA>JG75qlKOI)r+!p)IXZkm&xBhEJ-iY>Xfk(~6&kqwOQ=7}oOo zzN%MTXCz*YDniG32aVqp{8$t*?YLjGLY+iM+98X;2o4kMrFxzoej_7-wYsfhTNz1*GZZG&r5$E0#x}VtX{|>JMTLYYXX-Q{18MOlrW%w(wS~E zg3#m&uKq`f1m+JroEyV_7Lmg!hS{rXiTdmxG92j(#Eru!-hE+V2Jqdqlnkg|YD zg$@mjhooj(r6f>;1Lw=YH$)6{=qQ}~Z9LkUKGjJqzsRdID87Z? z47eb071>{RSVtajnW?5x*6amG3ELTSR-zbX1;xI{lDXuwSR}X5(jLGfn@*m+m}>S{ zOKoNSy7e(x_O#t&bT6FHjiHAdN)&r>i)vytwJ00dubnGVB(%vk`{@j=wB3X-{_G34 z`B|czVaf>VJBkohNuYIW^lZB5PyPvuo;m=;bq5|Zx{P%#>6nTD%7LszwMop6YmfAS ziKjKMr*dC~2lYiJW$w%&$!di3^j22bDBYpU%F0($FUG|mF;&-o1g2SPKB$k=`&(7k z(10TAb#mq;MS_@J3DaHRWuB_MnW8u8JC&W);vJsH(p?ix67Ztf7{h$gz5dCJ82pF=8<>>I7=DZaqfd;o!S!Zq@CqsQ%n>^O7A5Ywc>+@wKIoJ7BtL8kuC4sT;4E);k5Fi9^M;cM>6WZ4| z6+-mfF0oFNDX6_7WT$)hC)xFwX{x74q+FEq$miM@cq(`z<3i+t))-A zDDY!^YI45OHeP8NyyD@i6PEW0yRfB$5<&-xo9~HelcD28lkRHDof1=xgPzsrSH zu%u@dEU8~Ik>SX_u;xMr&MIi{d*`N_QM03Lv5yEc%}WzcMl48?Au|9l6jR|f|R z%d+VTK9>W8jVCnp`8dN|_Zp0R6LMHWl*Vz>;7(_zTZnL2wgtOKBuT#49Ry#0wl>qUS%MwgMnAobn8}9iaV{qc48h`56p$H#x+Cl&6J1qP5Tcc((a}2Xdkl( za5?s#4}4EjxcLlcO{w)H^Eo)*h^ekd*A=^>bnC&I2KOTN>dTjvd8P_HR#H^Fq3p68 zlpoo1KUihg+tXvp^J9*BFQM2%rIMn>>ag>FlG~M2d&cv}o`g)5E|kX@$04^*gE#F= z8$%zIA6jW*)zPCM0#?FSY|}(C7!WVsqpzaZT*M#oC*ulk0YoHK;ks2o1OFBFxoPVr zCPIaZbbEFR(4wsT=H#zLd;w&O&hXM9{ncMm+|$gn!i1L4U&fpZ#IsvhKK3Pyzr0W z&joV((hjLulr$yJJslNg#t7@M*Otbh(A~NC0z5Y$V{UY5?h_dy%^Xt#nyk9UtAu{W z37rR$l@7R77J4lK{&xl$jl3u9-Fy>)i`z3E;j!eiFYeV2GAM@`kd<`K98H#!Io6eQ zqZN%{eJ8VQ^dPC|AZQp~7udP>mtvXv*9zp!$4dD8pP*g#0oz z5A?Ir+mkf(Ug0P-b&iPp^SfhPbNzC|8(HQ)k33zZ(DQ_gYS@1Q<>>`U#}{}kPWa|E z*EL>vkx(V4YU$$4JaAHE$Jd&Jl$DPUqOyVLPP=b^X4}SnpJ;HpXSrU8nN0IcMo-HZ z)vA|aj7j}!kZ$l)$obmk8iisB?GL@zbYD;)vNC^0Q?MJ(nZzI=NDWnjNO6-BdGzaD z_ts01Aqb&6d`b`tp0h*Y*P|v13EKW0L1hjDe)f|VB{FY7u9`VUqVu}+U2M#7*q!%^K4r9Ly2v)ZW zMP>*Ma)U#!y_So;{<$w9gv2WL8QP4)<2PA750xh`=8-G>b&+>cOWl)&WH8BrH1BnV z!^ZXJ1b32*0NC4~&WFc8wfEvf!+L%|bT*(~KW!TyWjhYS2P)+no&K0m`1a|>z-lb1 z(myue1?SRO0r2idh<8@`$tsWVOBXUCynQxQc)NkMfbY0p9D!~tSTWtp@CX3M!-IU2 zsd&?g+XlkX-)b6hj7A1H(2u@;90HHFb75zDDBKAWycc5H&UhKLSeGoARJp+!JVHDbf4@a=WSU)*M7B06UhX?*1YtJ1HNC3tsF`vXns1 z+7qGS$VEt?l+ya{p*$GISCTx%^g|oJN+@~zm8B!hh1k+lXsBvB1x8jbXtjqvw)#Vr9k9F&`~0y@e~D3SK#fw6iS z%saVJA$1{$6r!EGPPwGlh&LwZ=X+5khwj*c+K8$qnY8S+Cq*}NqR?xHXs;AW1S{nv za@tcd>>?zn)8Y>`H&YxnU8}<%CDG!;L3x2JTEgOhO0L*9cSO2$Q)p6D$bvx+se6*3 z{_-Squ9*wE(+{nq{IDr8RiW4^<$x(co;$vynVHSFPjvWLAeZVuOo^<+{t*e$+L@Z0 z_olE?vza8>UKZ$DQI%>tVwXwN#+F1Ap&ASXH)nqJ{i#DNa(7Wb6yqKauBpqLj)P&} z4cvcyT>`pg%>tK0p#747kY#q1y%REZ>muE-FyaikeC!+qv$ki#JDMOdLW)Z5tF|T$ z*3!%ZHb^v6eOgPRBk1Q_mBc=#Q9^3xyJ&vr?``2%w73fPreCPMVp|rqhrEG5rWb;8 zRG%r*ISF^VYRQ5gf5!_1l@zbia`DkPzKT)$aR?)KS8E8EUc|#QKumYNbX4UDQ+eun(!~?UR$OM$2nrRHY-re?4XgkI3#G?rHs9`;iLEMDYtv7m^eO3 z_8}Qv!&AU%--BiEaLC2x)?F)QKx{=t%oKQYlIJ)YXn9^Oy=oEjZKxT9&0lR;)f|6z z=$0^~ZDqQ_6V7ka7+fSSsQhH<8+kqV0X|i6*Bp0N*gZ1w14Iz7y9yqH9bOT6P}%rA zuf<5A2e+eCTS*x|rnQK75Ov|OA12fOIY(EW>bj`lEf#I|(r^XE&h%}SZ#M*>w7=^3-jT8A)JgyP z976Psnw)xo%%+)wO0WG#ZRqIg(W)!{$`s3Pk-nhhF>zYiV7F^-WHRjay)@z1HX|cS z+>&EAy1rdreD9$(>TX#M>5 zTHzdwD8;PZA(8mm!2-Go#h*PYw&DuEGV-WB5;WGy|D-Gk3u6@=$!3Yhep@aDEIb?} z@?Re6I4Cq{4!LA15)by~4lp4(VoQBZI#rtx%-FXcK!XOO>vKDYtjFM+2?!WqI6rUr_$YZ0qn)nv`!(09Nm<~?{)|zV8?tCR_0Bpy(Xm@si=gJ-5r#3ok6I<95S1~r$R{d2`mQOqy_nrWg`KA(>EOh$o1gQ<^L( zg^2tZ6SMqrSaR`i@G_xL z7D>qyCNO*Z_Jo9S%1Ax~F@vbJ1<3E3h`}3!S5T>wB8i{q2U(|WhzKYQ&=0LZe9aGJ z!~P@}-Nix^?~s%?AaXj+>+ZUA%{k|n>rB(KoY|$E;Tkn@z3_MvQc|d6mpnMI4HA_I zS``iaL4ydm!5@v`qbk1-!mbC!${xHetD#Af@9q}jsmZnm#l~+8z79tYzZAQTGX<&) z&iVNAvg3ZbBNCysvFMT^)VemR?4cSnkPo`5$umA%5iYeEM%@SC`}0!)gea z;1_!t+zD;)NH``u0#p}_-N2U?oaO82ofV^{>sg==N!S!hI5Ibt5a;GVQ zu0BfT(H9LJh{e|iXT0$sF2#0~sfHUd*o*S*oNl{rs4y+2`EK)Q$!eKI3Xb}*uU%^= zFAcqA>jql1L4ie%x*5Bs5@)rOgMmwsTq~r>)4>%K^hM5SEfuX#z0N zkQ|5C8_UEctiT1@A#l{glJyJf)+C4jZbQ=djv=@eh+i+OI~)iarmxcqF~;Uyvq#6$ z?>Pr?u+XPZ-7|3epW3xX5iw4E9z5VeD0#xyHswpfyE+f3paA8j^*P@0Hd2vNK?ESl zg8|%gLDjuV^9m*uaH}!-UCHxSr@ex>AdMO4t)%+Fx%6Om4ME05gg8$%C1D?;XCe&y zt#Q8{L@{8n9lOgIT?k9GZjqv3lvZX{oJW9s?FYw~?1cr?4=7S)8b{aPW~mS*HAG@F zV(0}i+I@(Rf;7^*GrT95{naOZoml3OLQY>iN>_TwVHkp;vmg7kK4AaKYUY(_ zR5z6fg7Y%>w}ZNPRaL{-h|O&<8Mi_Df}k6vg5R&U#3&BaBjSH$F7U?;nhjIrXOkF_ zz70S=*3j>?PIFI9(GVnk~b{16y1w zRN28<9qD@Uke4c)@Zy77scF_%U^T@rZn6r={&R*!L8#x<*W;GR3=D!qNbinA^B|U2 zOiiIBiE&u)1X%O334P4d6YyCy*Ju7E3kj2ENcoKbup;9OvE!_nrZBEEHFySD{E4xd zXyED_LJOVKRLDTCmGbS`NRBk2vyZ=y=}wQ0wFN)M*vU8FQUM9kC8X=%Q#iX%9uK_@ z{R1JESOW&8tj+iVI&#oxu^5vQO}iP^x6XAsl!6dc z(ELTo{@0nu?@la5lxo^7ac;sJMI?-A6w3X0e&pvpABbMrg}pfDvf8ac3y`QXF7pSw z>7O)xGQCnU{)D_T(~(`D5Bl@&Hq);RSS~CH|TZ zWzj7)oZ1ro@uyhDE^^JHP4Dk);rpS|0^tLpVkD#I2l-K-V@iMbShRd-^hsAWy=Uz# z;~Uxvgr+)t|7vy7y#UP@p8^Tl`K=>qkRSTJKn}SC{M6KMBgEsnZfR)qo(UL{MQ^nd zQKm%N;EBvtEVG;jLkiE6`@LLpDbv;JI7Mm0X()~oflD+`DOCo5|H$6M!Jb`Yd(wg1 zx46F5e)+`5wxY{X?`do5t|-v6nZblt`MFGMNN%{us^Av>UY*a-1O_6u%pG}aArsM$ zd7{}`9Me8IoEo^Sj$Pqe?BgY;8%}9Kjn~b-#~5=(grk`EA^C7sg+`Xd(Ym0cJuceX z9Qw=yUxLp2qwITzgAi74{}F0w+ZB)ZWCfP;@#;67i%7H3@AOtP-x*)|R6*dhes{=b zWQ}G`CFTC;&DIWn2VsR!_I$g{~4Ueyz*h}Mzau3P<>E*bLUCVy4*cvKtb z=%hl6F2q^Us>4T{zP(~9ij|JVKeFadZv=jv@wp?Oxzaf&lUns93FK5gqqS;>9S@5isQS}qJ^_Jd- zBBrDqS;s}yexC>Vpr6`2eUsTkJ1kr!B!b&=+%xv)$bBt4%~cDCz*h=wF1CE3k8YJ- z%k~k33*Onq8+}OOfNuLb$YNVwoZal|Ory9jBwRm$T$*Xmo=@uC-P{4%@JWH%^5OFQ z{osLe(Pd(14U0DPbU}r6Elcjx1*q5UI{Em$!%D|IfKCn430)HxKHC~__YQ~ty8%ff zG^}Rl_7{%TEC{e^4ffF^1FN<M6&l_42f&)Fw({$ zM19|_4xuE-zT$H)2d&dce03ICo-0LUWV1LBAfi-AJd@s+$5E14B`E1&-v&TkJ62-x>dm#my#0g z`o>(rj{Oqc;`~bZl3@Fw*G^1+1Y{XK5njJ_TBh;BOnmEf=Eq&iZs6?ccRn_aa(1Wd zu^>E%;j(D@XA^tpalP%TZwqQZpR=W!Ue%#jvi-uWli$iI%6h8>zDz>ZP!f-M?Ro`H zRlInoC!1QV8uENoX&6(Dq_q3pi!&&l@{sA47L(@RN!nu=j>U%=@AF|3m@bNZMmmKI zw_)+;+B+!8_Y~#!z-@j~9e+x_#>)MTzu#{F2_Sf>v~nA`r0sOW!)htn(=~Pla1sA|Nm?xI~Vu= zO;N&FAt%aMPzUr z7i2DBU|G#<8b{>4V5qp+*f{_|Fe5Unti6edp^GVl2oF0O8;FgA?f+FJ8Y!^|aC84p zCiH(E3Ofqq{}kBS0c^m(FaS50;~xyn#SKjSt^|f~bAvhm>c9?Q=VJQ@;{t&G!GN6H z|6rVefBLeqvHv}RKXQQogJJ#m>;Ygf5SW;z3=(8#0|5Tf#`edPzv(mc zOcjtNI~zOa-?i)jZUD#MqX4)-{|I4Y2ebd(j*SEGw^@IN192zTsn9~$xc)JSjRW+r zaL#{?WaIqDNB}nnC*UuB02>?lZwCMz9BlvLh5Yw2U<3XyQ2+w}6$Jbz`T%Yq+usKL zAz}ZA7{~$m@A3Zd|A{jj7w5l+ik*AP2`klL2#q{*D4W8wm2h zgbU36Z$mKf--Y!jhJRW8XAk@@ONWE=zZL&SFo2W$|6&;bwF?1Yc3|R`8ZY0m`TA$n vG;@#B&jqo+{5I_w8U8_Zk@@(Lom~u_Ts)ji&5+suY+){BT3S(gG35UPnxP0? delta 10930 zcmZvBWmp_R(=G17gUjL$%Obl-0wlP*dw|6)xGnDP8iG3nC%9{Hf(CcDBsko>-?i^1 zw}17Vu9`Yk)z4HtWC~~`}a9SfMri^os z6+5+6kWBY54}1Cj`a4}Mu%J44sN*N$z&Z*#UZYL>G=I zDRVAQ6SoQQ*u(Vk3mz9UR-ymQuw5c;W_fngHNh(RH44U##D5mba%nxOYJ{SlKr!v9ZSnFODv-JOrkxj!L}hq;P

#I->a|61sNYvh=^GGz6b(DZY^&`T#?g_ZWgTo{nQD4S3vY>NxiSEmTss+B?64jBv5^sEP3V4TE zZja&;_O_4~knlqHr&AirHImTV5s|xrKasawhUU&p8gRrHz7osP*+37rnDc5X7b7sf zialk|t1yq-dR0wJZCd-kJr|YlL`lOTf|9lSAaQ3am{7#S!{Ne|O_%a>LSp==YFKtj z^rkuqn&|g0nux@1CTfkOh0vsK=1v=&s=abDe&BQ=M~=N(w5B>?PmhYX`{GRwO)zFc z-_NrOmiAk@@%v!ZGPw4^_BqJ+CfoOhuk#CgSkWF|r=#vfyqCj@AsY7+R_&etIGZii zha~n#Y;UE-y;nl8J`SNJu9LQ##Yg{fu0`PiQqH|R{%MNeOO0n=WXwKNpoR=q9DVp& zHRq#O9Vu6&(suip|3d@JN|sXB&!Y#N@mrFD*|R`LIEh z(nU&;fWuLtAm$q$Jz^<5KHZhWg)1^VPq1x5LP1Jr`~0*iSH>oMmew4_!-7a`i|vo9p8%rZ)z-6%&}Cm35iXzm3+soz&D zcas2snN&U)p+)U7COjba4p*;VULK8nmR6uBH_?Kgu?@>cxJt{kmt!E_J`%tnNTu`8 z;}yLrEY1rR5#_#7DX~CWvrtJWg=~$`?fV_bco^IYJ4iE-e!5k_a7#K5Gx(C7gGL(n z5$N1($d|xum9Zb==z_VE>XesVbF;?VGUbtR+mdVXfRI?}zlNv0-uE$qZd9>EwNXkA z)Joym+7zg}&#F!_Yx-^uRzsqxAWPbR{8)t^4yS+vp3 z%sUlE)46zS?%Zv@LDfdO?=vy-LI8bo%MIps!J@XP?Q2NV%B_^mDH*t)39_~1WYsz6 zQl{K&hY;EOTtDP z3M*mX>@5|~f>QTah6lc^zFsy9h>aTl8DwoUJf%L#IA~|iDV#=9qm`c+e?s=YDDv)r z%nmMouGdm9Hf~wmWjoVN_$j=Le&6c=qd7)0A!g(qd!l{ev5pDHA$EJHk|Ty-E=GBv zWpcK0|K|@GL_C-vmMcGDqvMo#apr_tPgors_e6ripkgO&%PZ_I!AX>AKsREQKZ9;j zSLRMDnX$|+A{Yv{^a+C^#1mKnf1G$`Rzs+4qpZGb}|RKnoi zl98yACorWXnhPM1hXQ{>o89#u@1q4M5AixnlPWX5rvN)4Z~Nh zj$AXKl1xZ0VREO)tRhb3{bB;G`zYV5VfADQs4WefG1den1OrvF;S%kB+{9S&J)6W2 zHB=1HU%0wQrCZX>&Q+Yj>o!8_i?Ul4+{Us6ubPR+%EHQXGW)TTfP;lXdKX?T`BVlC zuFbSSIsXEz3F8k%fo7^fjUNR_Vd!kZ`|B>ROHlHsl+PFwznW(KD8jBCxC$%|rpB~E zU6K5JaH!M^u(F#JL__M3Lc6c-&-qg=p34pRFBun2wyzOYT@1~HC1@55eVY38p`+r< z58tUG@N$0TYuNkqoQnyECbYSC{7}0VvgKF1Fhn1wNiHTJK>tN@R<~^K2TNI9K<^qy zJdpP8F`UK6p#>fKie0(4=_8DZWw7mKn~jn=t1ychM$Pw z@R=CBwq}X&SMRyv!>OJ1VG6am#>Sd__aNv16Xwj(D}SPK1s$*K2Nq6Zt5BY$mag%b zaKdivZds=k+fOe@P_xB;)mE-vLFXtR>+m*DNp^S~igdF+0z}o=jZxQ!>&=P;8Sc_? zA%1mYAOB!A6(@xX&i?YiM3*1iIb$fF0wC0sH;0`JfrjULN&})G*yT%*L&CQ3X!9^+ zqPaNhQjXqD){?~JfU!h}_rgFsB6h{FC7jxVthTtkeY((~Fa77*bsuuZt%Q7L_v~9b z4lkBlpX2kdTk{(#gU3E5rOCyw(YwP7SzGGUXfpCetd+EFirp0palPgbCC#aiY_G@MRa+0!y$$6Y zYIqODzb#bh)`62NA&fpp>)%cIeSu@JXc0v{ZKQVYh^m4h2Pym(v!)DUMg_an}!?oMD@wNpDc^O_<+ zq02bt>Nz>??q9E!ZXa++IY&R3+narKaW*%x!}v3EFtx_u0Rn)4|4cx9U~rN#(>s{1 zoCC#IJe0&N&O6MHCx&Juoz$HIBlhtU_<#vx;$eI2ItxwJ{Dg+O#-^LFotxre3-{Mc zC!`~F_^5#$Tz*XO<9nrFC|2_-*aJgWiL7xyNk zCpW~3U~TmA&G9iZ+zblj5Ir0wg+!M{d}q>j|VRw_$oQVMAc9BEM2e zwO?aWO$h$$lEzv%!rwLWi48r>ADg(Cn$Q_K^#EG2+kCXb-ZGU*e)Z7Y7ki#o*+ljF7UGIar|JqemA9Phj+?@#GWw+JI4wT#~RmIaEbo%xbI@JJXT?N5(R7%CY){KD%U z)2F8YWoU^K+h`6}Z^e=47}_VKe*q75aJnTTj;CvaWGNwf4qO1Sxtu&g`Y5q$5_(xC z&a!Nb=2m7dP{Q1Kq_2Cw8lhQH zsGiePDR~0rD9gw<9(=df_~Yg|-g}}#A(Pt}LhK=7mCRWVkD3 zT5Q9L;ZTnTKSsJcIUf_qL}S9KJM-7KrXWVl_;wgB;4Ew5eNa{x%Lja?3v{VOX;Ajt zG_QtKRv^`ncUuqFEjEcQl>_OOOIj>4gcVO1 zg zx32Y3_lPc)^p5N^7sp-W!D7iOl4s!)JdKF?@q_8}*NBN2Qs5IMQeD@11yq4z$KhN| zlvWEHjK@V((yO&+hYIQv+m(E3#+sZ1mYH3R(HWBMM2= z5%CZ+yFFKRwUOomirGHr3e_LTM;yqg*kp|joA*#)%lU@R3=_75z}1X2t!H~g*rG2^ zywO;+SbJNO^nq&XVlU*9J;jGGZl;-SimZ6&g4cX}3!cT;IHkxugU*}*E;-SeZRicG zHy5RX&?2I%jp<^)`$KTz)w@$WOU`baEvNC2A4$q%9LP2_dUxU+A^O1AwUr8(#kc9V z;fx5=eVdN2)=D*$8E7uwJD76+h^W0hRCjwYzg90|-JZ(OJ4huvN%bSgfio%C)u|J- z?kQy$T>nWwuzAVstMwj%x&Jh-fx?k-RgaE@n$E#4-*R#=^ZeMPhGH^C>Yb@@WLeu-0LU z8fUo~#`S)gNjd>E7fd?d@(H%aKpu@%W6D_PD2N&p=#ygha7lCzi;-qgdGoIa1S6|m z+f|=w=jeQUDv7cAhmS}qWq>>5&T2_rKD?|;@+}(Unz^b#;&c}h1KKyw1z!SE zc*P+7pKmlw*=@etFzd{sH)I`wJ1*ogb`NXViO4GttMq8`1LM}Xg zMx!5Q2nJqbL!TR%P5lZYRup5(2R-iD))>Z}Ke8WRKR+YN-lCA1Cmr*UB7u0h`I69h z-@{g%3BkAumn~d(A)eV~qodZVDPSyh;Oj`aCV&PF4(B?+I4I^-XpNE$r>c#n_w_Q3 zL=Sd-rv2g1!+ERmPg>bx1AV#A*BdT%*Qz5&JJ-QlU7PDkBX>y4cp5KGj=HB4j>%K6 z;jVR~tlfkUslqUjpfl>Jhy>-CIf~EaFqnODcecjh(;M$VoP5fA0I;H?Hw+pExpm^% z{pMWVPzsGPGt|vHD%s@pk2gME4{OWelZufU5cYUOB4j_+f;Tfqy-jfxWx<*ZHU2eB z8jCw&P2SGJSfoLfvuWHT8gXx!JsxJkO1kjl_`VcR-a1d?iBt+?9vozEC?Kq64ok0{ z(6Yq7+|19~kem{h8eSXYwsUQm?x%XF@&1SDf3qv3I)N2??!_%cF)y;t8`lsBq>;Z(qljGIhn#Bbm)@1 zni=PY4o8GH)d_cS!H7JL|FyXZRKIMvhqkU4IHgx~eVshffL*l0a74;j2}?W9e-t(a zUjba;x>rdBXSg|YRv9_YnLO|>QCxr$atG2DJNMsT-uBSfvVRU5SUzssj-5+qTQT3Q z2%fMn*OlWToEF2hH*hh;b8!o^CJ}BpC>7d?wICCA`Qb!i?>}MBOh12#`=Kyjjbvd7 ze+l@-MZwaIys|=ay@qOo!^IdfEtJhBBQ!?4X+X1BfFMb{ez+_200Gre$ zAWr+d#9MspnNQX9w23mvJEfEH2wLevWVicvj-IKBg$!1l@07HG3Ck7hP`QXW){E{~ z{=7COCPE&)?MjCGo(%CaPYVa`MFbzt4R79FjXXD@)vo}*JA?6^109j_db2d*&$=e6 zv;ofTN=L3x+gyCQ1~Bu+N(#xjat}2aAy>k5eJsU#s7!Ha6xno3N|mJnW!| zUVFV5Bac&dnwIk14`z#FiXdeDtEHK>bU7=|jr1pbJ{jGS!PbDe^*c_?Q(d3mz9o2- z!w9K=etnU+ujyO~C0=xjQ}yU((w*b#WSFGSig}{k=-ImiivV@&2 zK2qM@m9^}|NoX2zz8R|hW)H`ADTfl@ruC5kGn?_Vf{H)L{!cMP88$jQP!w#gOzpZJ zBikJ*C!nHM)N3-itQdssebnYseI6%c59$3J`l8(ry_3mY5%oK|+X4yRlBWE0Y#kWk z6pQ}!I!dHWT%rJ#TSyvi?RAhVQ6Pt7T##}z21CNFZtZu=iQCi|Ob!H{aV~RJ!J3mk ztR@$Ie}(KdV>Xzee#fyH!SLv}qgfMyxudMy*^mzn(XHog?2YIN65}=3$GsO#>GZXd z`e1DyO00K<5{yQV>Zs^b?jV+;S#A~qGfu5a@zWVMIZ%NJs>@o+Y~FCjWX@<3M&waI zsu_kPE{gUmUbk0JWc_;ynkOslgaoFiSX2wK&gLSNn*gM-un((_t+38+ zEE{}4@|<0a=+tv4#PZPUYRikD{jMBJBJPg6zCvw-Adew9+?bjCNijdCahZt)%xYH3^--5GtL-6_yQ@mLud$ zkJ}At;2cjdkg4puZ_rT@fq6_A1HNcAE{VJ7$CKdRO5!VhI27&1^P6S4XuT~@Rw$iw zuwIl*tX}ZQdS8{r-NjV+E?QQC7x!4(;fkFORVB=_17$2M0rQ4Sbhmt?%Txe(Mdj5H z7n~uj9kq)XIr4p6C-y~$2AEpg-X0Q9Nw@&`0`U4G2RYTRV2&z}sC=}eLFs3!HS(Dh z_7hobzECrnelx>h|Aj&1djBmd9T`$D#dwKJ(Oyq(@&j6mQ7`hW$vNF` zERE?jmr`(sTZ01M@Vl^oQ;jonG47}Eo^r_m%d1t>r?ivV;Om}*Avq^!3U0qYX{Hft zNhRehyq0&P3WK@jigd?ygnd^^lJfo@6(R!D9U)zNv5+Wptg8wlA2hfrc-@aN-T#0+ zm{NnY5ZFr;rg*pobm4EOC@=P3kq^_hij%fI!pX!6{~F2r%p$ot%q6bP+z>K<-8Vi( zf14Oi(dymB4twa6cfL^zSdYM*_DYY#MvPG9s(8>iwY@vY|J?tTy%G3sZht^F5vs~? zAE4x5+e4nm%QeGLf1*r*^;@u;@BR$Ip{{P_>Um(t2pY1{oYW;mfxye3v?}!H_C(J? zzxhuKt~BjA1R0|N8pS#AFu)O6thmMK2oKf_Bvhbw(UFmKt#5EXh2@f7T{sT+rD#S3 z@rRhC@6m+yWjNSp`?hV!vqPRqU*2^7Sb5P68(3PUGHUnlf_gjLi0jvqya;saKkmY5 zqSxZa%9#Az+Hm2r3uEETSil^DAtzmII-lnT=~g4{hc0dMMW<`5wQd$;EsUj@y+dOQ z+veR7!*WPvn`lSl#|mqi7y1y2d0S2Ku?HuY5P{g7CC@bsGuch`<#?ka!RQr%CT&+F zPg$T5Mf(q-TZ1jUSmk*vtg`=H#{_9tzw?)K20yxvkm6{PREGw6M1G%#VZ-`jXyF{V zN=95h8KL!TycbrKwO~)XYuT3@kLG2)swM#ole83@jXLt^b82NGmsOFxHNYTEzqY?6 z8b($%_{BH@iccbz zQLs7{Oo|*ryz!#fr4D9=VUUUMikSgq{@jW%bHfGSFn;bAeKmSO58}$e3IIuPy0!(A z>y_E2Mu74JS*b+~ClMXdZe~Xn?&LkHi%hdQ!1`lNI43u?P;oV57nB39valMam6qJRHqzf>zWlF} zXi%)fH<;z!GyuuCy}his69*Nva`?=W(wn%C*s9<96e!4O5_Jc4KuGW;lPcDI<=+xF zJ<}G=CGzS|%e|Ljc4@sPX(V5#3`na>Oor^tYpNUI-4EGRzRwrXTfUPtstQJRXixgZ zb`eG9v(F@l%t@@z*Le6#T2?kP`MSEG#Q~3mB^!Wz8+Xx9k%;Wf5K&8E-^h?1T@2uR z#6dvG48(&YH!Z>o*l&!R`b5eRHaoIb(qkC0;YRTMn8z0@m41!GH%tU+7 zjUrT3rXBGGy)2!8d5=ai|LZ|F5+D@UhOj`CTbQ1d$>TST1|9d2+I^L@!u_*n?;?F= zk|b#(f|d>?tW@mut4Ax!!^sWpmIvO4@3Y^nQ_wzk489hBTdL*Ax^_~!Q0V`H_k`6o zL>ItH!YoE6gLD-2+1&}QW^c*^ALCsRAkaseU>Kw_>ZTz715u$!{1~Tzm_E3AXa~tz z?*mA2jpGf$T9{yzCvNsZco1-;gXCL#E`}oQr3|*jN0@j6cvbzjF@qXa6DZCb^B(*O;rz~5TU^>5po6E!E z9{n~JU&ekiuP}2|haG~^3Ac4|p;3FVKu{P5P2~Zf4rbxap51i}u?fOogpDiJ8np*H zny+d|=sC0BMkr4dkf%^xL3it<=)$^V;UcV?-@=e4;X1-zuc z8&Rnx@RQT#bccWTVT&QAcOZlTHtQ9NZ?nwKJ??9w%%ebKW0manu*HF&G_RDf!?U$c zDt5h#gnfD}Rn50wv@zoIgHG}}UpbfieDCHD%#l2A0XFb6-vJvT3+|mCHX3oWRy3=LU+>(`2i8K)%9`lV4M zmjvW~Tk1yMDT7<=*#Jp}4F#WeTU||Fox_5U%44~+HYA+$80?>J-}M-aKZ-H8=2-gvrhW5fDjHn<{vB73=H1s^aq(fw zRy%~C;@`$`qN!9pAB~5ti5aK2mgU+*B?H#POLlW4oZeTbZ=r_IdYYJOPhmOMa8M>9 zhZ7G+BjWmoAO#bCmuYq?QyW3Yv}kXDF}f=`_NbTv`VmljE4TRtSmfK_m2%UX1|RCI z3`(hnOg1R0n3I+dnUCKK$VQ*FJqhAb*El2}G^;jnRwZ*WK??kOBt|cki}r+rukLsz z2&=Yd{XVbp-bg0m7-LO+S zn)lPtBweFbwxNJcX!*VyeD$^hK0bHb>ZL0I6Pk12Xd^s65RrJ^c2*I4ma)C;`wP)g zY@rzaGhWW^$*b@XuVh1FA7&2$Sm@jB{4D0gI+fS{a%i|RBx^C18nAqJn>?L znr*AuQicqKaSmshdKYqK%z$&8!e%i+sJmWZgD<_`;HBb`eLUEx9tF*F41%07*_=&ixj!?mo&iQcY4#I~mB8fMhSS^IV$Aub zfm2zwbiUsOQm@bSDK+9>mF`ioWPDOcigQtz#Su<+wY5d+)aQSrh9RHrYZyw*^Cbk> z$mw)zMd~Nyrb=TZ#8Ut91QrG~p$>zZ_tZ~g0b=fp;jT4E{j@?K%vXrbf4h=)GWS6< z>P2Hdgg!M5J(!qDmHHv33bNG2v{xlgoNI7j&YlH6SlcnWsd{LeA6i=9x}O4dFMPen zArBUANE4rSv0F&E2%&1!V%te6L;{=yy5eTd=5DLId(~sTt{GKNuzS{AvJVwItd!4D z-KUD${f(+m+7xplhJa1RO|}%|q(kj$ZsS)l&iZ^T1)=D$Ls`m^?c$TC7e&;Xwm=d4 zu*-1LmX%GbG?E0w>4mVXwj`b6sVheV=ASw9e@g2QKHg?#)HpB2h!Za9?;=|1wI_S0{c z34Av#bInQ4fO;v8)t2rQo$s0E*>6r~cFpHqpd)yNDyAiyh*nqWFd2u%MH&uQo!KBz z{B6c*9F3WlzV&I`iDUHYd7l%SW3C8vYdLpqQ}k->&13MLinNT?=fdEtz+s0j8?0+t zlv>64GwpCyW!ex@=50rmQHb!-jBCguR`The2Y%k`GrT%1cLav#PW534RzcCO$_`l>}|Bqpw zf1KnN;N|((A>Mzo&kf-b_{R|tzra7be^mc_aR1l`{^7^R`)?%qApho#|Nl|`FI@;9 z|38L#!94#&0nEq$PZR|B|CIEV<9Cfm~Eq<~HVVxm+o7Uq8t1B^c(f{!jH&MqF#<`x(rZf+nD MgMmRpNfP6K06{sy$^ZZW diff --git a/docs/signatures.tex b/docs/signatures.tex index 61ee33518..f6e675360 100644 --- a/docs/signatures.tex +++ b/docs/signatures.tex @@ -150,7 +150,16 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]] \item \verb#SL+n# = start of last section plus \verb+n+ bytes \item \verb#SL-n# = start of last section minus \verb+n+ bytes \end{itemize} - All signatures in the extended format must be placed in \verb+*.ndb+ files. + All the above offsets except \verb+*+ can be turned into + \textbf{floating offsets} and represented as \verb+Offset,MaxShift+ where + \verb+MaxShift+ is an unsigned integer. A floating offset will match every + offset between \verb+Offset+ and \verb#Offset+MaxShift#, eg. \verb+10,5+ + will match all offsets from 10 to 15 and \verb#EP+n,y# will match all + offsets from \verb#EP+n# to \verb#EP+n+y#. Versions of ClamAV older than + 0.91 will silently ignore the \verb+MaxShift+ extension and only use + \verb+Offset+.\\ + + All signatures in the extended format must be placed inside \verb+*.ndb+ files. \subsection{Signatures based on archive metadata} In order to detect some malware which spreads inside of Zip or RAR archives diff --git a/libclamav/matcher-ncore.c b/libclamav/matcher-ncore.c index 9b7908b4c..ab0f7f8fb 100644 --- a/libclamav/matcher-ncore.c +++ b/libclamav/matcher-ncore.c @@ -371,7 +371,7 @@ int cli_ncore_scandesc(int desc, cli_ctx *ctx, unsigned short ftype, int *cont, for(i = 0; i < count; i++) { const char *matchname = NULL, *offsetstring = NULL, *optionalsigdata = NULL; unsigned long long startoffset = 0; - unsigned int targettype = 0; + unsigned int targettype = 0, maxshift = 0; char *pt; /* Get the description of the match */ @@ -423,7 +423,7 @@ int cli_ncore_scandesc(int desc, cli_ctx *ctx, unsigned short ftype, int *cont, return CL_ENCIO; } if(offsetstring && strcmp(offsetstring, "*")) { - off_t off = cli_caloff(offsetstring, &info, desc, ftype, &hret); + off_t off = cli_caloff(offsetstring, &info, desc, ftype, &hret, &maxshift); if(hret == -1) { cli_dbgmsg("cli_ncore_scandesc: HW Result[%u]: %s: Bad offset in signature\n", i, matchname); @@ -432,8 +432,13 @@ int cli_ncore_scandesc(int desc, cli_ctx *ctx, unsigned short ftype, int *cont, free(info.exeinfo.section); return CL_EMALFDB; } - if(startoffset != (unsigned long long) off) { - cli_dbgmsg("cli_ncore_scandesc: HW Result[%u]: %s: Virus offset: " "%Lu, expected: %Lu\n", i, matchname, startoffset, off); + if(maxshift) { + if((startoffset < (unsigned long long) off) || (startoffset > (unsigned long long) off + maxshift)) { + cli_dbgmsg("cli_ncore_scandesc: HW Result[%u]: %s: Virus offset: %Lu, expected: [%Lu..%Lu]\n", i, matchname, startoffset, off, off + maxshift); + continue; + } + } else if(startoffset != (unsigned long long) off) { + cli_dbgmsg("cli_ncore_scandesc: HW Result[%u]: %s: Virus offset: %Lu, expected: %Lu\n", i, matchname, startoffset, off); continue; } } diff --git a/libclamav/matcher.c b/libclamav/matcher.c index ee14320aa..dd553869a 100644 --- a/libclamav/matcher.c +++ b/libclamav/matcher.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002 - 2006 Tomasz Kojm + * Copyright (C) 2002 - 2007 Tomasz Kojm * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -121,10 +121,11 @@ struct cli_md5_node *cli_vermd5(const unsigned char *md5, const struct cl_engine return NULL; } -off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_file_t ftype, int *ret) +off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_file_t ftype, int *ret, unsigned int *maxshift) { int (*einfo)(int, struct cli_exe_info *) = NULL; unsigned int n, val; + const char *pt; off_t pos, offset; @@ -162,6 +163,9 @@ off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_f } } + if((pt = strchr(offstr, ','))) + *maxshift = atoi(++pt); + if(isdigit(offstr[0])) { return atoi(offstr); @@ -256,17 +260,23 @@ int cli_validatesig(cli_file_t ftype, const char *offstr, off_t fileoff, struct { off_t offset; int ret; + unsigned int maxshift = 0; if(offstr && desc != -1) { - offset = cli_caloff(offstr, info, desc, ftype, &ret); + offset = cli_caloff(offstr, info, desc, ftype, &ret, &maxshift); if(ret == -1) { cli_dbgmsg("cli_validatesig: Can't calculate offset for signature %s\n", virname); return 0; } - if(fileoff != offset) { + if(maxshift) { + if((fileoff < offset) || (fileoff > offset + maxshift)) { + cli_dbgmsg("Signature offset: %lu, expected: [%lu..%lu] (%s)\n", fileoff, offset, offset + maxshift, virname); + return 0; + } + } else if(fileoff != offset) { cli_dbgmsg("Signature offset: %lu, expected: %lu (%s)\n", fileoff, offset, virname); return 0; } diff --git a/libclamav/matcher.h b/libclamav/matcher.h index 86b678812..f526e44aa 100644 --- a/libclamav/matcher.h +++ b/libclamav/matcher.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002 - 2005 Tomasz Kojm + * Copyright (C) 2002 - 2007 Tomasz Kojm * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -45,6 +45,6 @@ int cli_validatesig(cli_file_t ftype, const char *offstr, off_t fileoff, struct struct cli_md5_node *cli_vermd5(const unsigned char *md5, const struct cl_engine *engine); -off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_file_t ftype, int *ret); +off_t cli_caloff(const char *offstr, struct cli_target_info *info, int fd, cli_file_t ftype, int *ret, unsigned int *maxshift); #endif