The prior fix for the wwunpack overread in commit
89cd0df3d7 was a little too late, but
also removed an earlier, smaller guard for a write.
This commit just moves the larger guard a little earlier to protect
against both.
Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60655
If a signature has a pattern that is too short will fail to load the
signature but does not cause the entire load process to abort.
This is bad for two reasons:
1) It is not immediately apparent that the signature is bad, and so it
could be published accidentally.
2) The signature is partially loaded by the time the bad pattern is
observed and that may cause a crash later.
Because of (1), it is not worth it to try to unload the first part of the
signature. Instead, we should just abort the signature load.
Fixes: https://github.com/Cisco-Talos/clamav/issues/923
We should also abort loading if the filter pattern for the boyer-moore
matcher is shorter than 2 bytes.
Also, do not print the final "Loading" progress bar if an error occurred.
A buffer over-read may occur when unpacking wwpack'd PE files if the
file is very small.
This commit adds a CLI_CONTAINS buffer wrap check to ensure we aren't
reading beyond the exe buffer.
We determined that this issue is not a vulnerability.
Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57374
* Add new clamd and clamscan option --cache-size
This option allows you to set the number of entries the cache can store.
Additionally, introduce CacheSize as a clamd.conf
synonym for --cache-size.
Fixes#867
The code to extract CSS from HTML <style> blocks contains an off by one
in case there is no actual content it will have a chunk_size of -1.
Whoops.
Removed the -1 so it is correct, and added an extra safety check in case
something else crazy happens.
For some reason we're generating a filename wiith a random hash in it
to use for the comment content in the event that codepage converstion to
utf8 fails for the comment. This makes no sense. So I'm removing it and
letting it just fail out. The calling functions ignore the failure
anyways and move on which is good.
Note: I think the "cli_genfname" call that I'm removing was a copypaste
from the logic for converting the filename to utf8. We still do that.
I'm not sure about the consequence of failing to have a filename in that
case, so I'm going to leave it as-is.
Coverity-225186, 225156: Fix possible leak of comment message in case
parsing the comment header fails after allocating the comment buffer.
Coverity-225184: Fix possible leak of egg block if the archive is not
solid and contains no files.
Additional improvements to egg parser error handling for functions that
pass back allocated memory through the parameters. Instead of checking
for failure before freeing the allocated memory, we'll hand off
ownership of the allocated memory to the parameter variable by setting
to NULL afterwards, and then always free the variable if not NULL after
the `done` label.
Coverity is unhappy with the use of the EC32, cli_readint32,
and cli_writeint32 macros (and the 64bit equivalents to potentially
change the endianess of variables in place.
It claims:
overlapping_assignment: Assigning ... to ..., which have overlapping
memory locations and different types.
Using a temporary variable in between reading and writing should
resolve these "high impact" complaints.
Resolves: Coverity-225232. 225225, 225215, 225212, 225180, 225170,
225165, 225161, 225159.
Prevent double-extraction of same PDF object
Two indirect references to the same PDF object may cause it to try to
extract that object twice. This also may cause it to set the extraction
path twice, which leaks the memory from the first time.
This commit records when object extraction is attempted and prevents
doing it again. It also adds a couple extra checks to make sure that the
object path string is not leaked.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58072
Also:
- Coverity-317959: Fix complaint about logically dead code. No need to
check if UE variable is NULL because we would've returned earlier if it
was NULL.
- A bunch of medium-severity coverity issues for PDF parser regarding
checking if a `pdf` pointer is NULL after dereferencing it.
- Coverity-192930: bytes_remaining was being checked twice in a row
without chainging it. Turns out we should have been changing it after
moving the `index` pointer.
- Coverity-192920: Switch to use CLI_REALLOC instead of cli_realloc2.
This is because cli_realloc2 would free `pdf->objs` on failure and we
still need it.
Fix possibly unitialized binop variable in bytecode module for STORE
and COPY instructions in bytecode module.
Refactored slightly to include additional opcode login in the switch statement.
Coverity-344508: Fix out-of-bound read in check_str test.
The len argument cannot be longer than the size of the source buffer.
The original test was attempting to test an append failure.
The updated test checks for correct behavior with two consecutive
appends.
Also added function comments to document correct use of textbuffer
functions.
Coverity-344493: Fix out-of-bounds read in check_jsnorm test.
The buffers passed to tokenizer_test must be NULL-terminated.
RTF:
- Coverity-344490: Use cli_realloc instead of cli_realloc2.
cli_realloc2 will free the memory if the allocation fails, though we
also free the memory later in SCAN_CLEANUP.
- Fix warning about unused variable.
AutoIt:
- Fix possible memory leaks of input and output buffers.
- Set pointer to NULL after handing off memory to new pointer.
The pointer used to index an HTML file during normalization may be
rewound to an earlier location if encoded javascript (screnc) is
detected while processing the line.
If a <style>-tag was also found in the line after the screnc bytes
then the check for the size of the style-chunk will be "negative"
and would result in a massive memcpy.
This issue was introduced during 1.1 development.
This commit ensures the style chunk size may not be negative.
Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57327
Previous behaviour would remove temp files by deleting the subdirectory
This caused issues in cases (on Windows) where subdirectories aren't created
due to performance concerns
This commit removes tempfiles individually if keeptemp is off
Original patch authored by Thomas Vy
Coverity complained about missing break statements for two switch cases
that end with asserts.
Adding /* fall-through */ comments appears to assuage Coverity's fears.
The strncpy intentionally is not copying the NULL terminator for the log
message prefix. The NULL will be added by vsnprintf, after.
Switching to memcpy eliminates the warning.
Change the version suffix from -devel-{TODAY} to -rc
Bump the SO version for libclamav and libfreshclam.
Increasing the current version to 12.0.0 and 3.0.0 respectively.
The reason is that we reintroduced using the version scripts:
- libclamav.map
- libfreshclam.map
- libclamunrar.map
- libclamunrar_iface.map
Note that libclamunrar and libclamunrar_iface use the SO version from
libclamav.
Note that libclammspack does not have a .map file and so is not getting
symbol versioning at this time nor are we bumping the SO version for
that library.
Add a new cl_engine_set_clcb_vba() function to set a cb_vba callback
function and add clcb_generic_data handler prototype to the clamav.h
public API.
The cb_vba callback function will be run whenever VBA is extracted from
office documents. The provided data will be a normalized copy of the
original VBA. This callback is added to support Sigtool so it can use
the same VBA extraction logic as when scanning documents.
Change the Sigtool temp directory creation for any commands that use
temp directories so that you can select a custom temp directory with the
`--tempdir=PATH` option, and can retain the temp files with the
`--leave-temps` option.
Added `--tempdir` and `--leave-temps` to the Sigtool `--help` output.
Added `--tempdir` and `--leave-temps` to the Sigtool manpage.
Use OpenSSL's big number/ multiprecision integer arithmetics
functionality to replace tomfastmath.
This is a first shot at doing just this. Further improvement could be
use more RSA-signature verification from OpenSSL in crtmgr_rsa_verify()
and less self parsing.
_padding_check_PKCS1_type_1() has been borrowed from OpenSSL to make
further replacments easier.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
* Add a new function cl_cvdgetage() to the libclamav API.
This function will retrieve the age of the youngest file in a
database directory, or the age of a single CVD (or CLD) file.
* Add new clamscan option --fail-if-cvd-older-than=days
When passed, causes clamscan to exit with a non-zero return code
if the virus database is older than the specified number of days.
* Add new clamd option --fail-if-cvd-older-than=days
When passed, causes clamd to exit on start-up with a non-zero
return code if the virus database is older than the specified
number of days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf
synonym for --fail-if-cvd-older-than.
Fixes#820
libclamav.map: Add missing symbol and correct symbol version.
libclamunrar.map: Use symbol version-script for libclamunrar, too.
Thank you to Sebastian Andrzej Siewior for the help.
Also fix a unittest linker issue...
Adding libclamav.map causes libclamav to no longer export zlib
when zlib is statically linked.
What was weird is that libxml2 depends on zlib and the check_clamav
unit test program was using those symbols from libclamav.
Introducing libclamav.map broke that even though we were explicitly
trying to link check_clamav with ZLIB::ZLIB as well.
For reasons I can't explain, linking check_clamav with the
ClamAV::common library managed to properly link it with ZLIB::ZLIB
and so the undefined references go away.
Also in this commit, I've removed the `.map` files from .gitignore
I'm not sure why they were ignored before.
XML entity expansion may be used to load an XML entity from a
(different) local file than the file being scanned if the scanning
process can read the referenced file path.
This may be used to leak information from the local file to the person
who initiated the scan.
The libxml2 option XML_PARSE_NOENT means that no entities should
be left in the document and not that no entities should be resolved.
This commit removes that option.
A few user of VirtualAddress and Size in cli_exe_info::pe_image_data_dir
don't use the endian wrapper while other places do. This leads to
testsuite failures on big endian machines.
Convert the content of struct pe_image_data_dir to native format so that
that the EC32() conversation can be removed.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
PDB, WDB, and CDB signatures can use a regex feature to match
domain names. At one time in the process we ran a filter search
to speed up filtering out non-matching static patterns but were
accidentally discarding the result. When tested, it turns out
it wasn't working correctly anyways.
Since then, we've fixed some bugs and upgraded the regex
implementation to the latest version. After re-testing, I have
found that the filter_search() appears to be working correctly
now, both in the unit tests and with the existing CDB signatures.
I found that the `url(data:` type does not matter to a browser.
In addition, whitespace may be placed in a few locations and the browser
will ignore it.
This commit accounts for this, and updates the test accordingly.
This commit adds a feature to find, decode, and scan each image found
within HTML <style> tags where the image data is embedded in `url()`
function parameters a base64 blob
In C in the html normalization process we extract style tag contents
to new buffer for processing. We call into a new feature in Rust code to
find and decode each image (if there are multiple).
Once extracted, the images are scanned as contained files of unknown
type, and file type identifcation will determine the actual type.
The verdict is being recorded before the preclass bytecode hook meaning
that the final verdict may come back as "clean" in allmatch mode,
even if the preclass bytecode hook matches something.
This commit moves the verdict check to occur AFTER the preclass bytecode
hook executes.
Micah Snyder