libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit() (bb#1266)

git-svn: trunk@4483

ChangeLog

@@ -1,3 +1,8 @@
+Wed Nov 26 14:04:33 CET 2008 (tk)
+---------------------------------
+ * libclamav/special.c: respect recursion limits in cli_check_jpeg_exploit()
+			(bb#1266)
+
 Tue Nov 25 21:51:30 CET 2008 (tk)
 ---------------------------------
  * freshclam/manager.c: in non-dns mode use date from cvd header instead of

libclamav/scanners.c

@@ -1323,13 +1323,13 @@ static int cli_scanriff(int desc, const char **virname)
     return ret;
 }
 
-static int cli_scanjpeg(int desc, const char **virname)
+static int cli_scanjpeg(int desc, cli_ctx *ctx)
 {
 	int ret = CL_CLEAN;
 
-    if(cli_check_jpeg_exploit(desc) == 1) {
+    if(cli_check_jpeg_exploit(desc, ctx) == 1) {
 	ret = CL_VIRUS;
-	*virname = "Exploit.W32.MS04-028";
+	*ctx->virname = "Exploit.W32.MS04-028";
     }
 
     return ret;
@@ -2000,7 +2000,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
 
 	case CL_TYPE_GRAPHICS:
 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
-		ret = cli_scanjpeg(desc, ctx->virname);
+		ret = cli_scanjpeg(desc, ctx);
 	    break;
 
         case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */

libclamav/special.c

@@ -85,7 +85,7 @@ int cli_check_mydoom_log(int desc, const char **virname)
     return retval;
 }
 
-static int jpeg_check_photoshop_8bim(int fd)
+static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
 {
 	unsigned char bim[5];
 	uint16_t id, ntmp;
@@ -140,7 +140,7 @@ static int jpeg_check_photoshop_8bim(int fd)
 	/* Jump past header */
 	lseek(fd, 28, SEEK_CUR);
 
-	retval = cli_check_jpeg_exploit(fd);
+	retval = cli_check_jpeg_exploit(fd, ctx);
 	if (retval == 1) {
 		cli_dbgmsg("Exploit found in thumbnail\n");
 	}
@@ -149,7 +149,7 @@ static int jpeg_check_photoshop_8bim(int fd)
 	return retval;
 }
 
-static int jpeg_check_photoshop(int fd)
+static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
 {
 	int retval;
 	unsigned char buffer[14];
@@ -166,7 +166,7 @@ static int jpeg_check_photoshop(int fd)
 	cli_dbgmsg("Found Photoshop segment\n");
 	do {
 		old = lseek(fd, 0, SEEK_CUR);
-		retval = jpeg_check_photoshop_8bim(fd);
+		retval = jpeg_check_photoshop_8bim(fd, ctx);
 		new = lseek(fd, 0, SEEK_CUR);
 		if(new <= old)
 			break;
@@ -178,7 +178,7 @@ static int jpeg_check_photoshop(int fd)
 	return retval;
 }
 
-int cli_check_jpeg_exploit(int fd)
+int cli_check_jpeg_exploit(int fd, cli_ctx *ctx)
 {
 	unsigned char buffer[4];
 	off_t offset;
@@ -186,6 +186,8 @@ int cli_check_jpeg_exploit(int fd)
 
 
 	cli_dbgmsg("in cli_check_jpeg_exploit()\n");
+	if(ctx->recursion > ctx->engine->maxreclevel)
+	    return CL_EMAXREC;
 
 	if (cli_readn(fd, buffer, 2) != 2) {
 		return 0;
@@ -229,9 +231,11 @@ int cli_check_jpeg_exploit(int fd)
 
 		if (buffer[1] == 0xed) {
 			/* Possible Photoshop file */
-			if ((retval=jpeg_check_photoshop(fd)) != 0) {
+			ctx->recursion++;
+			retval=jpeg_check_photoshop(fd, ctx);
+			ctx->recursion--;
+			if (retval != 0)
 				return retval;
-			}
 		}
 
 		if (lseek(fd, offset, SEEK_SET) != offset) {

libclamav/special.h

@@ -21,8 +21,10 @@
 #ifndef __SPECIAL_H
 #define __SPECIAL_H
 
+#include "others.h"
+
 int cli_check_mydoom_log(int desc, const char **virname);
-int cli_check_jpeg_exploit(int fd);
+int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
 int cli_check_riff_exploit(int fd);
 
 #endif