Thu Dec  6 15:22:27 CET 2007 (tk)
---------------------------------
  * libclamav/pe.c: fix possible integer overflow in MEW related code
                    Reported by iDefense [IDEF2842]

    Backported by <sgran@debian.org>

    SVN r3376

Index: clamav-0.91.2/libclamav/pe.c
===================================================================
--- clamav-0.91.2.orig/libclamav/pe.c
+++ clamav-0.91.2/libclamav/pe.c
@@ -80,6 +80,18 @@
 #define PEALIGN(o,a) (((a))?(((o)/(a))*(a)):(o))
 #define PESALIGN(o,a) (((a))?(((o)/(a)+((o)%(a)!=0))*(a)):(o))
 
+#define CLI_UNPSIZELIMITS(NAME,CHK) \
+if(ctx->limits && ctx->limits->maxfilesize && (CHK) > ctx->limits->maxfilesize) { \
+    cli_dbgmsg(NAME": Sizes exceeded (%lu > %lu)\n", (CHK), ctx->limits->maxfilesize); \
+    free(exe_sections); \
+    if(BLOCKMAX) { \
+        *ctx->virname = "PE."NAME".ExceededFileSize"; \
+        return CL_VIRUS; \
+    } else { \
+        return CL_CLEAN; \
+    } \
+}
+
 extern short cli_leavetemps_flag;
 
 struct offset_list {
@@ -1153,16 +1165,9 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 		dsize = exe_sections[i].vsz;
 
 		cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
-		if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || exe_sections[i + 1].rsz > ctx->limits->maxfilesize)) {
-		    cli_dbgmsg("MEW: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);
-		    free(exe_sections);
-		    if(BLOCKMAX) {
-			*ctx->virname = "PE.MEW.ExceededFileSize";
-			return CL_VIRUS;
-		    } else {
-			return CL_CLEAN;
-		    }
-		}
+
+		CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
+		CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
 
 		/* allocate needed buffer */
 		if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {