From b30d9c54b242aee062ae52d93e6714714d591f8e Mon Sep 17 00:00:00 2001
From: ragusaa <54862477+ragusaa@users.noreply.github.com>
Date: Sat, 26 Mar 2022 13:10:26 -0400
Subject: [PATCH] Phishing database load: Fix benign heap buffer overflow

A heap buffer overflow could occur during resource cleanup if a
malloc fails when adding a regex pattern to the phishing suffix tree.
The solution is to increment suffix_cnt after cli_realloc succeeds.

The issue was identified using fault injection and is not a vulnerability.

Resolves: https://github.com/Cisco-Talos/clamav/issues/429
---
 libclamav/regex_list.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libclamav/regex_list.c b/libclamav/regex_list.c
index eaad4ba99..679dd3d97 100644
--- a/libclamav/regex_list.c
+++ b/libclamav/regex_list.c
@@ -684,17 +684,19 @@ static cl_error_t add_pattern_suffix(void *cbdata, const char *suffix, size_t su
         list_add_tail(&matcher->suffix_regexes[(size_t)el->data], regex);
     } else {
         /* new suffix */
-        size_t n    = matcher->suffix_cnt++;
+        size_t n    = matcher->suffix_cnt;
         el          = cli_hashtab_insert(&matcher->suffix_hash, suffix, suffix_len, (cli_element_data)n);
         tmp_matcher = matcher->suffix_regexes; /*  save the current value before cli_realloc()	*/
         tmp_matcher = cli_realloc(matcher->suffix_regexes, (n + 1) * sizeof(*matcher->suffix_regexes));
         if (!tmp_matcher) {
+            FREE(regex->pattern);
             free(regex);
             return CL_EMEM;
         }
         matcher->suffix_regexes         = tmp_matcher; /*  success, point at new memory location   */
         matcher->suffix_regexes[n].tail = regex;
         matcher->suffix_regexes[n].head = regex;
+        matcher->suffix_cnt++;
         if (suffix[0] == '/' && suffix[1] == '\0')
             matcher->root_regex_idx = n;
         add_newsuffix(matcher, regex, suffix, suffix_len);