open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ClamAV is an open source (GPLv2) anti-virus toolkit.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7629 Commits
38 Branches
228 Tags
219 MiB
 
 
 
 
 
 
Tag: Branch: Tree: e07b295d95
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e07b295d95'
${ noResults }
clamav/libclamav/jpeg.c

302 lines
8.1 KiB
Raw Blame History

/*
* Copyright (C) 2011 Sourcefire, Inc.
*
* Authors: Tomasz Kojm <tkojm@clamav.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/stat.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <time.h>
#include "cltypes.h"
#include "jpeg.h"
#include "clamav.h"
#define EC16(x) le16_to_host(x)
#define GETBYTE(v) \
if(fmap_readn(map, &v, offset, sizeof(v)) == sizeof(v)) { \
offset += sizeof(v); \
} else { \
cli_errmsg("cli_parse(jpeg|gif): Can't read file (corrupted?)\n"); \
return CL_EPARSE; \
}
int cli_parsejpeg(cli_ctx *ctx)
{
fmap_t *map = *ctx->fmap;
unsigned char marker, prev_marker, prev_segment = 0, v1, v2, buff[8];
unsigned int offset = 0, i, len, comment = 0, segment = 0, app = 0;
cli_dbgmsg("in cli_parsejpeg()\n");
if(fmap_readn(map, buff, offset, 4) != 4)
return CL_SUCCESS; /* Ignore */
if(!memcmp(buff, "\xff\xd8\xff", 3))
offset = 2;
else if(!memcmp(buff, "\xff\xd9\xff\xd8", 4))
offset = 4;
else
return CL_SUCCESS; /* Not a JPEG file */
while(1) {
segment++;
prev_marker = 0;
for(i = 0; offset < map->len && i < 16; i++) {
GETBYTE(marker);
if(prev_marker == 0xff && marker != 0xff)
break;
prev_marker = marker;
}
if(i == 16) {
cli_warnmsg("cli_parsejpeg: Spurious bytes before segment %u\n", segment);
return CL_EPARSE;
}
if(offset == map->len) {
cli_warnmsg("cli_parsejpeg: Error looking for marker\n");
return CL_EPARSE;
}
GETBYTE(v1);
GETBYTE(v2);
len = (unsigned int) (v1 << 8) | v2;
cli_dbgmsg("JPEG: Marker %02x, length %u\n", marker, len);
if(len < 2) {
cli_warnmsg("cli_parsejpeg: Invalid segment size\n");
return CL_EPARSE;
}
if(len >= map->len - offset + 2) {
cli_warnmsg("cli_parsejpeg: Segment data out of file\n");
return CL_EPARSE;
}
offset += len - 2;
switch(marker) {
case 0xe0: /* JFIF */
if(app) {
cli_warnmsg("cli_parsejpeg: Duplicate Application Marker\n");
return CL_EPARSE;
}
if(segment != 1 && (segment != 2 || !comment)) {
cli_warnmsg("cli_parsejpeg: JFIF marker at wrong position\n");
return CL_EPARSE;
}
if(fmap_readn(map, buff, offset - len + 2, 5) != 5 || memcmp(buff, "JFIF\0",5)) {
cli_warnmsg("cli_parsejpeg: No JFIF marker\n");
return CL_EPARSE;
}
if(len < 16) {
cli_warnmsg("cli_parsejpeg: JFIF header too short\n");
return CL_EPARSE;
}
app = 0xe0;
break;
case 0xe1: /* EXIF */
if(fmap_readn(map, buff, offset - len + 2, 7) != 7) {
cli_warnmsg("cli_parsejpeg: Can't read Exif header\n");
return CL_EPARSE;
}
if(!memcmp(buff, "Exif\0\0", 6)) {
if(app && app != 0xe0) {
cli_warnmsg("cli_parsejpeg: Duplicate Application Marker\n");
return CL_EPARSE;
}
if(segment > 3 && !comment && app != 0xe0) {
cli_warnmsg("cli_parsejpeg: Exif marker at wrong position\n");
return CL_EPARSE;
}
} else if(!memcmp(buff, "http://", 7)) {
cli_dbgmsg("JPEG: XMP data in segment %u\n", segment);
} else {
cli_warnmsg("cli_parsejpeg: Invalid Exif header\n");
return CL_EPARSE;
}
if(len < 16) {
cli_warnmsg("cli_parsejpeg: Exif header too short\n");
return CL_EPARSE;
}
app = 0xe1;
break;
case 0xe8: /* SPIFF */
if(app) {
cli_warnmsg("cli_parsejpeg: Duplicate Application Marker\n");
return CL_EPARSE;
}
if(segment != 1 && (segment != 2 || !comment)) {
cli_warnmsg("cli_parsejpeg: SPIFF marker at wrong position\n");
return CL_EPARSE;
}
if(fmap_readn(map, buff, offset - len + 2, 6) != 6 || memcmp(buff, "SPIFF\0", 6)) {
cli_warnmsg("cli_parsejpeg: No SPIFF marker\n");
return CL_EPARSE;
}
if(len < 16) {
cli_warnmsg("cli_parsejpeg: SPIFF header too short\n");
return CL_EPARSE;
}
app = 0xe8;
break;
case 0xf7: /* JPG7 */
if(app) {
cli_warnmsg("cli_parsejpeg: Application Marker before JPG7\n");
return CL_EPARSE;
}
return CL_SUCCESS;
case 0xda: /* SOS */
if(!app) {
cli_warnmsg("cli_parsejpeg: Invalid file structure\n");
return CL_EPARSE;
}
return CL_SUCCESS;
case 0xd9: /* EOI */
cli_warnmsg("cli_parsejpeg: No image in jpeg\n");
return CL_EPARSE;
case 0xfe: /* COM */
comment = 1;
break;
case 0xed: /* IPTC */
comment = 1;
break;
case 0xf2: /* DTT */
if(prev_segment != 0xf1) {
cli_warnmsg("cli_parsejpeg: No DTI segment before DTT\n");
return CL_EPARSE;
}
break;
default:
break;
}
prev_segment = marker;
}
return CL_SUCCESS;
}
/* GIF */
struct gif_screen_desc {
uint16_t width;
uint16_t height;
uint8_t flags;
uint8_t bgcolor;
uint8_t aspect;
};
struct gif_graphic_control_ext {
uint8_t blksize;
uint8_t flags;
uint16_t delaytime;
uint8_t tcoloridx;
uint8_t blkterm;
};
struct gif_image_desc {
uint16_t leftpos;
uint16_t toppos;
uint16_t width;
uint16_t height;
uint8_t flags;
};
int cli_parsegif(cli_ctx *ctx)
{
fmap_t *map = *ctx->fmap;
unsigned char magic[6], v;
unsigned int offset = 0, have_gce = 0;
struct gif_screen_desc screen_desc;
struct gif_graphic_control_ext graphic_control_ext;
struct gif_image_desc image_desc;
cli_dbgmsg("in cli_parsegif()\n");
if(fmap_readn(map, magic, offset, 6) != 6)
return CL_SUCCESS; /* Ignore */
if(!memcmp(magic, "GIF87a", 6) || !memcmp(magic, "GIF89a", 6))
offset = 6;
else
return CL_SUCCESS; /* Not a GIF file */
if(fmap_readn(map, &screen_desc, offset, sizeof(screen_desc)) != sizeof(screen_desc)) {
cli_warnmsg("cli_parsegif: Can't read Logical Screen Descriptor block\n");
return CL_EPARSE;
}
offset += 7;
cli_dbgmsg("GIF: Screen size %ux%u, gctsize: %u\n", EC16(screen_desc.width), EC16(screen_desc.height), screen_desc.flags & 0x7);
if(screen_desc.flags & 0x80)
offset += 3 * (1 << ((screen_desc.flags & 0x7) + 1));
while(1) {
GETBYTE(v);
if(v == 0x21) {
GETBYTE(v);
if(v == 0xf9) {
if(fmap_readn(map, &graphic_control_ext, offset, sizeof(graphic_control_ext)) != sizeof(graphic_control_ext)) {
cli_warnmsg("cli_parsegif: Can't read Graphic Control Extension block\n");
return CL_EPARSE;
}
if(have_gce) {
cli_warnmsg("cli_parsegif: Multiple Graphic Control Extension blocks not allowed\n");
return CL_EPARSE;
}
have_gce = 1;
offset += sizeof(graphic_control_ext);
if(graphic_control_ext.blksize != 4 || graphic_control_ext.blkterm) {
cli_warnmsg("cli_parsegif: Invalid Graphic Control Extension block\n");
return CL_EPARSE;
}
} else {
while(1) {
GETBYTE(v);
if(!v)
break;
offset += v;
}
}
} else if(v == 0x2c) {
if(fmap_readn(map, &image_desc, offset, sizeof(image_desc)) != sizeof(image_desc)) {
cli_warnmsg("cli_parsegif: Can't read Image Descriptor block\n");
return CL_EPARSE;
}
offset += 9;
cli_dbgmsg("GIF: Image size %ux%u, left pos: %u, top pos: %u\n", EC16(image_desc.width), EC16(image_desc.height), EC16(image_desc.leftpos), EC16(image_desc.toppos));
break;
}
}
return CL_SUCCESS;
}