Attachment #149826 for bug #213762




Mon Apr 14 21:35:11 CEST 2008 (tk)
----------------------------------
  * Check in 0.93 patches:
    - libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
    - libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
    - libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
    - libclamav/message.c: bb#881 (message.c: read beyond allocated region)
    - libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
    - libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)

Mon Apr 14 13:19:17 CEST 2008 (tk)
----------------------------------
  * test: add clam-aspack.exe, clam-pespin.exe and clam-upx.exe (bb#902)

Lines 87-93 Link Here

(-)libclamav/others.c (-1 / +1 lines)
87	#define P_tmpdir "C:\\WINDOWS\\TEMP"	87	#define P_tmpdir "C:\\WINDOWS\\TEMP"
88	#endif	88	#endif
89		89
90	#define CL_FLEVEL 28 /* don't touch it */	90	#define CL_FLEVEL 29 /* don't touch it */
91		91
92	uint8_t cli_debug_flag = 0, cli_leavetemps_flag = 0;	92	uint8_t cli_debug_flag = 0, cli_leavetemps_flag = 0;
93		93

Lines 2563-2568 Link Here

(-)libclamav/message.c (+1 lines)
2563	in++;	2563	in++;
2564	continue;	2564	continue;
2565	}	2565	}
		2566	*p = '\0';
2566	break;	2567	break;
2567	case '=':	2568	case '=':
2568	/strcpy(p, in);/	2569	/strcpy(p, in);/

Lines 1261-1267 Link Here

(-)libclamav/pe.c (-1 / +1 lines)
1261		1261
1262	CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));	1262	CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));
1263		1263
1264	if (exe_sections[1].rva - off > dsize \|\| exe_sections[1].rva - off > dsize - exe_sections[1].ursz \|\| (upack && (exe_sections[2].rva - exe_sections[0].rva > dsize \|\| exe_sections[2].rva - exe_sections[0].rva > dsize - ssize)) \|\| ssize > dsize) {	1264	if (!CLI_ISCONTAINED(0, dsize, exe_sections[1].rva - off, exe_sections[1].ursz) \|\| (upack && !CLI_ISCONTAINED(0, dsize, exe_sections[2].rva - exe_sections[0].rva, ssize)) \|\| ssize > dsize) {
1265	cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");	1265	cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");
1266	break;	1266	break;
1267	}	1267	}




	unsigned char pt_len[NPT];
	unsigned char sub_bit_buf;
	uint16_t pt_table[PTABLESIZE];
	int status;
} arj_decode_t;

static int fill_buf(arj_decode_t *decode_data, int n)

		if (decode_data->comp_size != 0) {
			decode_data->comp_size--;
			if (cli_readn(decode_data->fd, &decode_data->sub_bit_buf, 1) != 1) {
				decode_data->status = CL_EIO;
				return CL_EIO;
			}
		} else {

	for (i = 0; (int)i < nchar; i++) {
		if (bitlen[i] >= 17) {
			cli_dbgmsg("UNARJ: bounds exceeded\n");
			decode_data->status = CL_EARJ;
			return CL_EARJ;
		}
		count[bitlen[i]]++;

		start[i+1] = start[i] + (count[i] << (16 - i));
	}
	if (start[17] != (unsigned short) (1 << 16)) {
		decode_data->status = CL_EARJ;
		return CL_EARJ;
	}
	
	jutbits = 16 - tablebits;
	if (tablebits >= 17) {
		cli_dbgmsg("UNARJ: bounds exceeded\n");
		decode_data->status = CL_EARJ;
		return CL_EARJ;
	}
	for (i = 1; (int)i <= tablebits; i++) {

		while (i != k) {
			if (i >= tablesize) {
				cli_dbgmsg("UNARJ: bounds exceeded\n");
				decode_data->status = CL_EARJ;
				return CL_EARJ;
			}
			table[i++] = 0;

		}
		if (len >= 17) {
			cli_dbgmsg("UNARJ: bounds exceeded\n");
			decode_data->status = CL_EARJ;
			return CL_EARJ;
		}
		k = start[len];
		nextcode = k + weight[len];
		if ((int)len <= tablebits) {
			if (nextcode > (unsigned int) tablesize) {
				decode_data->status = CL_EARJ;
				return CL_EARJ;
			}
			for (i = start[len]; i < nextcode; i++) {

				if (*p == 0) {
					if (avail >= (2 * NC - 1)) {
						cli_dbgmsg("UNARJ: bounds exceeded\n");
						decode_data->status = CL_EARJ;
						return CL_EARJ;
					}
					decode_data->right[avail] = decode_data->left[avail] = 0;

				}
				if (*p >= (2 * NC - 1)) {
					cli_dbgmsg("UNARJ: bounds exceeded\n");
					decode_data->status = CL_EARJ;
					return CL_EARJ;
				}
				if (k & mask) {

	return CL_SUCCESS;
}

static int read_pt_len(arj_decode_t *decode_data, int nn, int nbit, int i_special)
{
	int i, n;
	short c;

	if (n == 0) {
		if (nn > NPT) {
			cli_dbgmsg("UNARJ: bounds exceeded\n");
			decode_data->status = CL_EARJ;
			return CL_EARJ;
		}
		c = arj_getbits(decode_data, nbit);
		for (i = 0; i < nn; i++) {

				}
			}
			fill_buf(decode_data, (c < 7) ? 3 : (int)(c - 3));
			if (decode_data->status != CL_SUCCESS) {
				return decode_data->status;
			}
			decode_data->pt_len[i++] = (unsigned char) c;
			if (i == i_special) {
				c = arj_getbits(decode_data, 2);
				if (decode_data->status != CL_SUCCESS) {
					return decode_data->status;
				}
				while ((--c >= 0) && (i < NPT)) {
					decode_data->pt_len[i++] = 0;
				}

		while ((i < nn) && (i < NPT)) {
			decode_data->pt_len[i++] = 0;
		}
		if (make_table(decode_data, nn, decode_data->pt_len, 8, decode_data->pt_table, PTABLESIZE) != CL_SUCCESS) {
			return CL_EARJ;
		}
	}
	return CL_SUCCESS;
}

static int read_c_len(arj_decode_t *decode_data)

	unsigned short mask;
	
	n = arj_getbits(decode_data, CBIT);
	if (decode_data->status != CL_SUCCESS) {
		return decode_data->status;
	}
	if (n == 0) {
		c = arj_getbits(decode_data, CBIT);
		if (decode_data->status != CL_SUCCESS) {
			return decode_data->status;
		}
		for (i = 0; i < NC; i++) {
			decode_data->c_len[i] = 0;
		}

				do {
					if (c >= (2 * NC - 1)) {
						cli_warnmsg("ERROR: bounds exceeded\n");
						decode_data->status = CL_EFORMAT;
						return CL_EFORMAT;
					}
					if (decode_data->bit_buf & mask) {

			}
			if (c >= 19) {
				cli_dbgmsg("UNARJ: bounds exceeded\n");
				decode_data->status = CL_EARJ;
				return CL_EARJ;
			}
			fill_buf(decode_data, (int)(decode_data->pt_len[c]));
			if (decode_data->status != CL_SUCCESS) {
				return decode_data->status;
			}	
			if (c <= 2) {
				if (c == 0) {
					c = 1;

				} else {
					c = arj_getbits(decode_data, CBIT) + 20;
				}
				if (decode_data->status != CL_SUCCESS) {
					return decode_data->status;
				}		
				while (--c >= 0) {
					if (i >= NC) {
						cli_warnmsg("ERROR: bounds exceeded\n");
						decode_data->status = CL_EFORMAT;
						return CL_EFORMAT;
					}
					decode_data->c_len[i++] = 0;

			} else {
				if (i >= NC) {
					cli_warnmsg("ERROR: bounds exceeded\n");
					decode_data->status = CL_EFORMAT;
					return CL_EFORMAT;
				}
				decode_data->c_len[i++] = (unsigned char) (c - 2);

		while (i < NC) {
			decode_data->c_len[i++] = 0;
		}
		if (make_table(decode_data, NC, decode_data->c_len, 12, decode_data->c_table, CTABLESIZE) != CL_SUCCESS) {
			return CL_EARJ;
		}
	}
	return CL_SUCCESS;
}

		do {
			if (j >= (2 * NC - 1)) {
				cli_warnmsg("ERROR: bounds exceeded\n");
				decode_data->status = CL_EARJ;
				return 0;
			}
			if (decode_data->bit_buf & mask) {

		do {
			if (j >= (2 * NC - 1)) {
				cli_warnmsg("ERROR: bounds exceeded\n");
				decode_data->status = CL_EARJ;
				return 0;
			}
			if (decode_data->bit_buf & mask) {

	decode_data.comp_size = metadata->comp_size;
	ret = decode_start(&decode_data);
	if (ret != CL_SUCCESS) {
		free(decode_data.text);
		return ret;
	}
	decode_data.status = CL_SUCCESS;

	while (count < metadata->orig_size) {
		if ((chr = decode_c(&decode_data)) <= UCHAR_MAX) {

			count++;
			if (++out_ptr >= DDICSIZ) {
				out_ptr = 0;
				if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
					free(decode_data.text);
					return CL_EIO;
				}
			}
		} else {
			j = chr - (UCHAR_MAX + 1 - THRESHOLD);

					decode_data.text[out_ptr] = decode_data.text[i];
					if (++out_ptr >= DDICSIZ) {
						out_ptr = 0;
						if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
							free(decode_data.text);
							return CL_EIO;
						}
					}
					if (++i >= DDICSIZ) {
						i = 0;

				}
			}
		}
		if (decode_data.status != CL_SUCCESS) {
			free(decode_data.text);
			return decode_data.status;
		}
	}
	if (out_ptr != 0) {
		write_text(metadata->ofd, decode_data.text, out_ptr);

		return ret;
	}
    	decode_data.getlen = decode_data.getbuf = 0;
	decode_data.status = CL_SUCCESS;
	
	while (count < metadata->orig_size) {
		chr = decode_len(&decode_data);
		if (decode_data.status != CL_SUCCESS) {
			free(decode_data.text);
			return decode_data.status;
		}		
		if (chr == 0) {
			ARJ_GETBITS(dd, chr, CHAR_BIT);
			if (decode_data.status != CL_SUCCESS) {
				free(decode_data.text);
				return decode_data.status;
			}
			decode_data.text[out_ptr] = (unsigned char) chr;
			count++;
			if (++out_ptr >= DDICSIZ) {
				out_ptr = 0;
				if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
					free(decode_data.text);
					return CL_EIO;
				}
			}
		} else {
			j = chr - 1 + THRESHOLD;
			count += j;
			pos = decode_ptr(&decode_data);
			if (decode_data.status != CL_SUCCESS) {
				free(decode_data.text);
				return decode_data.status;
			}
			if ((i = out_ptr - pos - 1) < 0) {
				i += DDICSIZ;
			}

				decode_data.text[out_ptr] = decode_data.text[i];
				if (++out_ptr >= DDICSIZ) {
					out_ptr = 0;
					if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
						free(decode_data.text);
						return CL_EIO;
					}
				}
				if (++i >= DDICSIZ) {
					i = 0;

		case 1:
		case 2:
		case 3:
			ret = decode(fd, metadata);
			break;
		case 4:
			ret = decode_f(fd, metadata);
			break;
		default:
			ret = CL_EFORMAT;

Lines 435-441 Link Here

(-)libclamav/spin.c (-1 / +1 lines)
435	/* len = cli_readint32(ep+0x2fc8); -- Using vsizes instead */	435	/* len = cli_readint32(ep+0x2fc8); -- Using vsizes instead */
436		436
437	for (j=0; j<sectcnt; j++) {	437	for (j=0; j<sectcnt; j++) {
438	if (sections[j].rva <= key32 && sections[j].rva+sections[j].rsz > key32)	438	if (sections[j].rva <= key32 && key32-sections[j].rva < sections[j].vsz && CLI_ISCONTAINED(src + sections[j].raw, sections[j].rsz, src + sections[j].raw, key32 - sections[j].rva))
439	break;	439	break;
440	}	440	}
441		441

Lines 604-609 Link Here

(-)libclamunrar/unrarppm.c (+10 lines)
604	if ((p=pc->con_ut.u.stats)->symbol != up_state.symbol) {	604	if ((p=pc->con_ut.u.stats)->symbol != up_state.symbol) {
605	do {	605	do {
606	p++;	606	p++;
		607	if ((void )p > (void ) ppm_data->sub_alloc.heap_end) {
		608	return NULL;
		609	}
607	} while (p->symbol != up_state.symbol);	610	} while (p->symbol != up_state.symbol);
608	}	611	}
609	cf = p->freq - 1;	612	cf = p->freq - 1;
Lines 926-931 Link Here
926	sub_allocator_stop_sub_allocator(&ppm_data->sub_alloc);	929	sub_allocator_stop_sub_allocator(&ppm_data->sub_alloc);
927	}	930	}
928		931
		932	void ppm_cleanup(ppm_data_t *ppm_data)
		933	{
		934	sub_allocator_stop_sub_allocator(&ppm_data->sub_alloc);
		935	sub_allocator_start_sub_allocator(&ppm_data->sub_alloc, 1);
		936	start_model_rare(ppm_data, 2);
		937	}
		938
929	int ppm_decode_init(ppm_data_t ppm_data, int fd, unpack_data_t unpack_data, int *EscChar)	939	int ppm_decode_init(ppm_data_t ppm_data, int fd, unpack_data_t unpack_data, int *EscChar)
930	{	940	{
931	int max_order, Reset, MaxMB;	941	int max_order, Reset, MaxMB;

Lines 111-116 Link Here

(-)libclamunrar/unrarppm.h (+1 lines)
111		111
112	} ppm_data_t;	112	} ppm_data_t;
113		113
		114	void ppm_cleanup(ppm_data_t *ppm_data);
114	int ppm_decode_init(ppm_data_t ppm_data, int fd, struct unpack_data_tag unpack_data, int *EscChar);	115	int ppm_decode_init(ppm_data_t ppm_data, int fd, struct unpack_data_tag unpack_data, int *EscChar);
115	int ppm_decode_char(ppm_data_t ppm_data, int fd, struct unpack_data_tag unpack_data);	116	int ppm_decode_char(ppm_data_t ppm_data, int fd, struct unpack_data_tag unpack_data);
116	void ppm_constructor(ppm_data_t *ppm_data);	117	void ppm_constructor(ppm_data_t *ppm_data);




		memset(unpack_data->old_dist, 0, sizeof(unpack_data->old_dist));
		unpack_data->old_dist_ptr= 0;
		memset(unpack_data->unp_old_table, 0, sizeof(unpack_data->unp_old_table));
		memset(&unpack_data->LD, 0, sizeof(unpack_data->LD));
		memset(&unpack_data->DD, 0, sizeof(unpack_data->DD));
		memset(&unpack_data->LDD, 0, sizeof(unpack_data->LDD));
		memset(&unpack_data->RD, 0, sizeof(unpack_data->RD));
		memset(&unpack_data->BD, 0, sizeof(unpack_data->BD));
		unpack_data->last_dist= 0;
		unpack_data->last_length=0;
		unpack_data->ppm_esc_char = 2;
		unpack_data->unp_ptr = 0;
		unpack_data->wr_ptr = 0;
		unpack_data->unp_block_type = BLOCK_LZ;
		rar_init_filters(unpack_data);
	}
	unpack_data->in_bit = 0;
	unpack_data->in_addr = 0;
	unpack_data->read_top = 0;
	unpack_data->read_border = 0;
	
	unpack_data->written_size = 0;
	rarvm_init(&unpack_data->rarvm_data);
	unpack_data->unp_crc = 0xffffffff;

			ch = ppm_decode_char(&unpack_data->ppm_data, fd, unpack_data);
			rar_dbgmsg("PPM char: %d\n", ch);
			if (ch == -1) {
				ppm_cleanup(&unpack_data->ppm_data);
				unpack_data->unp_block_type = BLOCK_LZ;
				retval = FALSE;
				unpack_data->ppm_error = TRUE;
				break;
			}
			if (ch == unpack_data->ppm_esc_char) {

				rar_dbgmsg("PPM next char: %d\n", next_ch);
				if (next_ch == -1) {
					retval = FALSE;
					unpack_data->ppm_error = TRUE;
					break;
				}
				if (next_ch == 0) {

		retval = rar_unpack29(fd, solid, unpack_data);
		break;
	default:
		retval = rar_unpack29(fd, solid, unpack_data);
		if(retval == FALSE) {
		    retval = rar_unpack20(fd, solid, unpack_data);
		    if(retval == FALSE)
			retval = rar_unpack15(fd, solid, unpack_data);
		}
		break;
	}
	return retval;

Lines 32-40 Link Here

(-)libclamunrar/unrar20.c (+2 lines)
32	if (!solid) {	32	if (!solid) {
33	unpack_data->unp_channel_delta = 0;	33	unpack_data->unp_channel_delta = 0;
34	unpack_data->unp_cur_channel = 0;	34	unpack_data->unp_cur_channel = 0;
		35	unpack_data->unp_audio_block = 0;
35	unpack_data->unp_channels = 1;	36	unpack_data->unp_channels = 1;
36	memset(unpack_data->audv, 0, sizeof(unpack_data->audv));	37	memset(unpack_data->audv, 0, sizeof(unpack_data->audv));
37	memset(unpack_data->unp_old_table20, 0, sizeof(unpack_data->unp_old_table20));	38	memset(unpack_data->unp_old_table20, 0, sizeof(unpack_data->unp_old_table20));
		39	memset(unpack_data->MD, 0, sizeof(unpack_data->MD));
38	}	40	}
39	}	41	}
40		42

Lines 212-218 Link Here

(-)libclamunrar/unrar.h (-1 lines)
212	unsigned int last_length;	212	unsigned int last_length;
213	ppm_data_t ppm_data;	213	ppm_data_t ppm_data;
214	int ppm_esc_char;	214	int ppm_esc_char;
215	int ppm_error;
216	rar_filter_array_t Filters;	215	rar_filter_array_t Filters;
217	rar_filter_array_t PrgStack;	216	rar_filter_array_t PrgStack;
218	int *old_filter_lengths;	217	int *old_filter_lengths;

Return to bug 213762

Lines 886-903 Link Here

(-)libclamunrar/unrar.c (-4 / +15 lines)
886	memset(unpack_data->old_dist, 0, sizeof(unpack_data->old_dist));	886	memset(unpack_data->old_dist, 0, sizeof(unpack_data->old_dist));
887	unpack_data->old_dist_ptr= 0;	887	unpack_data->old_dist_ptr= 0;
888	memset(unpack_data->unp_old_table, 0, sizeof(unpack_data->unp_old_table));	888	memset(unpack_data->unp_old_table, 0, sizeof(unpack_data->unp_old_table));
		889	memset(&unpack_data->LD, 0, sizeof(unpack_data->LD));
		890	memset(&unpack_data->DD, 0, sizeof(unpack_data->DD));
		891	memset(&unpack_data->LDD, 0, sizeof(unpack_data->LDD));
		892	memset(&unpack_data->RD, 0, sizeof(unpack_data->RD));
		893	memset(&unpack_data->BD, 0, sizeof(unpack_data->BD));
889	unpack_data->last_dist= 0;	894	unpack_data->last_dist= 0;
890	unpack_data->last_length=0;	895	unpack_data->last_length=0;
891	unpack_data->ppm_esc_char = 2;	896	unpack_data->ppm_esc_char = 2;
892	unpack_data->unp_ptr = 0;	897	unpack_data->unp_ptr = 0;
893	unpack_data->wr_ptr = 0;	898	unpack_data->wr_ptr = 0;
		899	unpack_data->unp_block_type = BLOCK_LZ;
894	rar_init_filters(unpack_data);	900	rar_init_filters(unpack_data);
895	}	901	}
896	unpack_data->in_bit = 0;	902	unpack_data->in_bit = 0;
897	unpack_data->in_addr = 0;	903	unpack_data->in_addr = 0;
898	unpack_data->read_top = 0;	904	unpack_data->read_top = 0;
899	unpack_data->ppm_error = FALSE;	905	unpack_data->read_border = 0;
900
901	unpack_data->written_size = 0;	906	unpack_data->written_size = 0;
902	rarvm_init(&unpack_data->rarvm_data);	907	rarvm_init(&unpack_data->rarvm_data);
903	unpack_data->unp_crc = 0xffffffff;	908	unpack_data->unp_crc = 0xffffffff;
Lines 958-965 Link Here
958	ch = ppm_decode_char(&unpack_data->ppm_data, fd, unpack_data);	963	ch = ppm_decode_char(&unpack_data->ppm_data, fd, unpack_data);
959	rar_dbgmsg("PPM char: %d\n", ch);	964	rar_dbgmsg("PPM char: %d\n", ch);
960	if (ch == -1) {	965	if (ch == -1) {
		966	ppm_cleanup(&unpack_data->ppm_data);
		967	unpack_data->unp_block_type = BLOCK_LZ;
961	retval = FALSE;	968	retval = FALSE;
962	unpack_data->ppm_error = TRUE;
963	break;	969	break;
964	}	970	}
965	if (ch == unpack_data->ppm_esc_char) {	971	if (ch == unpack_data->ppm_esc_char) {
Lines 968-974 Link Here
968	rar_dbgmsg("PPM next char: %d\n", next_ch);	974	rar_dbgmsg("PPM next char: %d\n", next_ch);
969	if (next_ch == -1) {	975	if (next_ch == -1) {
970	retval = FALSE;	976	retval = FALSE;
971	unpack_data->ppm_error = TRUE;
972	break;	977	break;
973	}	978	}
974	if (next_ch == 0) {	979	if (next_ch == 0) {
Lines 1158-1163 Link Here
1158	retval = rar_unpack29(fd, solid, unpack_data);	1163	retval = rar_unpack29(fd, solid, unpack_data);
1159	break;	1164	break;
1160	default:	1165	default:
		1166	retval = rar_unpack29(fd, solid, unpack_data);
		1167	if(retval == FALSE) {
		1168	retval = rar_unpack20(fd, solid, unpack_data);
		1169	if(retval == FALSE)
		1170	retval = rar_unpack15(fd, solid, unpack_data);
		1171	}
1161	break;	1172	break;
1162	}	1173	}
1163	return retval;	1174	return retval;

Lines 1-3 Link Here

(-)ChangeLog (+10 lines)
		1	Mon Apr 14 21:35:11 CEST 2008 (tk)
		2	----------------------------------
		3	* Check in 0.93 patches:
		4	- libclamunrar: bb#541 (RAR - Version required to extract - Evasion)
		5	- libclamav/spin.c: bb#876 (PeSpin Heap Overflow Vulnerability)
		6	- libclamav/pe.c: bb#878 (Upack Buffer Overflow Vulnerability)
		7	- libclamav/message.c: bb#881 (message.c: read beyond allocated region)
		8	- libclamav/unarj.c: bb#897 (ARJ: Sample from CERT-FI hangs clamav)
		9	- libclamunrar: bb#898 (RAR crashes on some fuzzed files from CERT-FI)
		10
1	Mon Apr 14 13:19:17 CEST 2008 (tk)	11	Mon Apr 14 13:19:17 CEST 2008 (tk)
2	----------------------------------	12	----------------------------------
3	* test: add clam-aspack.exe, clam-pespin.exe and clam-upx.exe (bb#902)	13	* test: add clam-aspack.exe, clam-pespin.exe and clam-upx.exe (bb#902)

Lines 162-167 Link Here

(-)libclamav/unarj.c (-11 / +82 lines)
162	unsigned char pt_len[NPT];	162	unsigned char pt_len[NPT];
163	unsigned char sub_bit_buf;	163	unsigned char sub_bit_buf;
164	uint16_t pt_table[PTABLESIZE];	164	uint16_t pt_table[PTABLESIZE];
		165	int status;
165	} arj_decode_t;	166	} arj_decode_t;
166		167
167	static int fill_buf(arj_decode_t *decode_data, int n)	168	static int fill_buf(arj_decode_t *decode_data, int n)
Lines 172-177 Link Here
172	if (decode_data->comp_size != 0) {	173	if (decode_data->comp_size != 0) {
173	decode_data->comp_size--;	174	decode_data->comp_size--;
174	if (cli_readn(decode_data->fd, &decode_data->sub_bit_buf, 1) != 1) {	175	if (cli_readn(decode_data->fd, &decode_data->sub_bit_buf, 1) != 1) {
		176	decode_data->status = CL_EIO;
175	return CL_EIO;	177	return CL_EIO;
176	}	178	}
177	} else {	179	} else {
Lines 230-235 Link Here
230	for (i = 0; (int)i < nchar; i++) {	232	for (i = 0; (int)i < nchar; i++) {
231	if (bitlen[i] >= 17) {	233	if (bitlen[i] >= 17) {
232	cli_dbgmsg("UNARJ: bounds exceeded\n");	234	cli_dbgmsg("UNARJ: bounds exceeded\n");
		235	decode_data->status = CL_EARJ;
233	return CL_EARJ;	236	return CL_EARJ;
234	}	237	}
235	count[bitlen[i]]++;	238	count[bitlen[i]]++;
Lines 240-251 Link Here
240	start[i+1] = start[i] + (count[i] << (16 - i));	243	start[i+1] = start[i] + (count[i] << (16 - i));
241	}	244	}
242	if (start[17] != (unsigned short) (1 << 16)) {	245	if (start[17] != (unsigned short) (1 << 16)) {
		246	decode_data->status = CL_EARJ;
243	return CL_EARJ;	247	return CL_EARJ;
244	}	248	}
245		249
246	jutbits = 16 - tablebits;	250	jutbits = 16 - tablebits;
247	if (tablebits >= 17) {	251	if (tablebits >= 17) {
248	cli_dbgmsg("UNARJ: bounds exceeded\n");	252	cli_dbgmsg("UNARJ: bounds exceeded\n");
		253	decode_data->status = CL_EARJ;
249	return CL_EARJ;	254	return CL_EARJ;
250	}	255	}
251	for (i = 1; (int)i <= tablebits; i++) {	256	for (i = 1; (int)i <= tablebits; i++) {
Lines 263-268 Link Here
263	while (i != k) {	268	while (i != k) {
264	if (i >= tablesize) {	269	if (i >= tablesize) {
265	cli_dbgmsg("UNARJ: bounds exceeded\n");	270	cli_dbgmsg("UNARJ: bounds exceeded\n");
		271	decode_data->status = CL_EARJ;
266	return CL_EARJ;	272	return CL_EARJ;
267	}	273	}
268	table[i++] = 0;	274	table[i++] = 0;
Lines 277-288 Link Here
277	}	283	}
278	if (len >= 17) {	284	if (len >= 17) {
279	cli_dbgmsg("UNARJ: bounds exceeded\n");	285	cli_dbgmsg("UNARJ: bounds exceeded\n");
		286	decode_data->status = CL_EARJ;
280	return CL_EARJ;	287	return CL_EARJ;
281	}	288	}
282	k = start[len];	289	k = start[len];
283	nextcode = k + weight[len];	290	nextcode = k + weight[len];
284	if ((int)len <= tablebits) {	291	if ((int)len <= tablebits) {
285	if (nextcode > (unsigned int) tablesize) {	292	if (nextcode > (unsigned int) tablesize) {
		293	decode_data->status = CL_EARJ;
286	return CL_EARJ;	294	return CL_EARJ;
287	}	295	}
288	for (i = start[len]; i < nextcode; i++) {	296	for (i = start[len]; i < nextcode; i++) {
Lines 295-300 Link Here
295	if (*p == 0) {	303	if (*p == 0) {
296	if (avail >= (2 * NC - 1)) {	304	if (avail >= (2 * NC - 1)) {
297	cli_dbgmsg("UNARJ: bounds exceeded\n");	305	cli_dbgmsg("UNARJ: bounds exceeded\n");
		306	decode_data->status = CL_EARJ;
298	return CL_EARJ;	307	return CL_EARJ;
299	}	308	}
300	decode_data->right[avail] = decode_data->left[avail] = 0;	309	decode_data->right[avail] = decode_data->left[avail] = 0;
Lines 302-307 Link Here
302	}	311	}
303	if (p >= (2 NC - 1)) {	312	if (p >= (2 NC - 1)) {
304	cli_dbgmsg("UNARJ: bounds exceeded\n");	313	cli_dbgmsg("UNARJ: bounds exceeded\n");
		314	decode_data->status = CL_EARJ;
305	return CL_EARJ;	315	return CL_EARJ;
306	}	316	}
307	if (k & mask) {	317	if (k & mask) {
Lines 319-325 Link Here
319	return CL_SUCCESS;	329	return CL_SUCCESS;
320	}	330	}
321		331
322	static void read_pt_len(arj_decode_t *decode_data, int nn, int nbit, int i_special)	332	static int read_pt_len(arj_decode_t *decode_data, int nn, int nbit, int i_special)
323	{	333	{
324	int i, n;	334	int i, n;
325	short c;	335	short c;
Lines 329-335 Link Here
329	if (n == 0) {	339	if (n == 0) {
330	if (nn > NPT) {	340	if (nn > NPT) {
331	cli_dbgmsg("UNARJ: bounds exceeded\n");	341	cli_dbgmsg("UNARJ: bounds exceeded\n");
332	return;	342	decode_data->status = CL_EARJ;
		343	return CL_EARJ;
333	}	344	}
334	c = arj_getbits(decode_data, nbit);	345	c = arj_getbits(decode_data, nbit);
335	for (i = 0; i < nn; i++) {	346	for (i = 0; i < nn; i++) {
Lines 350-358 Link Here
350	}	361	}
351	}	362	}
352	fill_buf(decode_data, (c < 7) ? 3 : (int)(c - 3));	363	fill_buf(decode_data, (c < 7) ? 3 : (int)(c - 3));
		364	if (decode_data->status != CL_SUCCESS) {
		365	return decode_data->status;
		366	}
353	decode_data->pt_len[i++] = (unsigned char) c;	367	decode_data->pt_len[i++] = (unsigned char) c;
354	if (i == i_special) {	368	if (i == i_special) {
355	c = arj_getbits(decode_data, 2);	369	c = arj_getbits(decode_data, 2);
		370	if (decode_data->status != CL_SUCCESS) {
		371	return decode_data->status;
		372	}
356	while ((--c >= 0) && (i < NPT)) {	373	while ((--c >= 0) && (i < NPT)) {
357	decode_data->pt_len[i++] = 0;	374	decode_data->pt_len[i++] = 0;
358	}	375	}
Lines 361-368 Link Here
361	while ((i < nn) && (i < NPT)) {	378	while ((i < nn) && (i < NPT)) {
362	decode_data->pt_len[i++] = 0;	379	decode_data->pt_len[i++] = 0;
363	}	380	}
364	make_table(decode_data, nn, decode_data->pt_len, 8, decode_data->pt_table, PTABLESIZE);	381	if (make_table(decode_data, nn, decode_data->pt_len, 8, decode_data->pt_table, PTABLESIZE) != CL_SUCCESS) {
		382	return CL_EARJ;
		383	}
365	}	384	}
		385	return CL_SUCCESS;
366	}	386	}
367		387
368	static int read_c_len(arj_decode_t *decode_data)	388	static int read_c_len(arj_decode_t *decode_data)
Lines 371-378 Link Here
371	unsigned short mask;	391	unsigned short mask;
372		392
373	n = arj_getbits(decode_data, CBIT);	393	n = arj_getbits(decode_data, CBIT);
		394	if (decode_data->status != CL_SUCCESS) {
		395	return decode_data->status;
		396	}
374	if (n == 0) {	397	if (n == 0) {
375	c = arj_getbits(decode_data, CBIT);	398	c = arj_getbits(decode_data, CBIT);
		399	if (decode_data->status != CL_SUCCESS) {
		400	return decode_data->status;
		401	}
376	for (i = 0; i < NC; i++) {	402	for (i = 0; i < NC; i++) {
377	decode_data->c_len[i] = 0;	403	decode_data->c_len[i] = 0;
378	}	404	}
Lines 388-393 Link Here
388	do {	414	do {
389	if (c >= (2 * NC - 1)) {	415	if (c >= (2 * NC - 1)) {
390	cli_warnmsg("ERROR: bounds exceeded\n");	416	cli_warnmsg("ERROR: bounds exceeded\n");
		417	decode_data->status = CL_EFORMAT;
391	return CL_EFORMAT;	418	return CL_EFORMAT;
392	}	419	}
393	if (decode_data->bit_buf & mask) {	420	if (decode_data->bit_buf & mask) {
Lines 400-408 Link Here
400	}	427	}
401	if (c >= 19) {	428	if (c >= 19) {
402	cli_dbgmsg("UNARJ: bounds exceeded\n");	429	cli_dbgmsg("UNARJ: bounds exceeded\n");
		430	decode_data->status = CL_EARJ;
403	return CL_EARJ;	431	return CL_EARJ;
404	}	432	}
405	fill_buf(decode_data, (int)(decode_data->pt_len[c]));	433	fill_buf(decode_data, (int)(decode_data->pt_len[c]));
		434	if (decode_data->status != CL_SUCCESS) {
		435	return decode_data->status;
		436	}
406	if (c <= 2) {	437	if (c <= 2) {
407	if (c == 0) {	438	if (c == 0) {
408	c = 1;	439	c = 1;
Lines 411-419 Link Here
411	} else {	442	} else {
412	c = arj_getbits(decode_data, CBIT) + 20;	443	c = arj_getbits(decode_data, CBIT) + 20;
413	}	444	}
		445	if (decode_data->status != CL_SUCCESS) {
		446	return decode_data->status;
		447	}
414	while (--c >= 0) {	448	while (--c >= 0) {
415	if (i >= NC) {	449	if (i >= NC) {
416	cli_warnmsg("ERROR: bounds exceeded\n");	450	cli_warnmsg("ERROR: bounds exceeded\n");
		451	decode_data->status = CL_EFORMAT;
417	return CL_EFORMAT;	452	return CL_EFORMAT;
418	}	453	}
419	decode_data->c_len[i++] = 0;	454	decode_data->c_len[i++] = 0;
Lines 421-426 Link Here
421	} else {	456	} else {
422	if (i >= NC) {	457	if (i >= NC) {
423	cli_warnmsg("ERROR: bounds exceeded\n");	458	cli_warnmsg("ERROR: bounds exceeded\n");
		459	decode_data->status = CL_EFORMAT;
424	return CL_EFORMAT;	460	return CL_EFORMAT;
425	}	461	}
426	decode_data->c_len[i++] = (unsigned char) (c - 2);	462	decode_data->c_len[i++] = (unsigned char) (c - 2);
Lines 429-435 Link Here
429	while (i < NC) {	465	while (i < NC) {
430	decode_data->c_len[i++] = 0;	466	decode_data->c_len[i++] = 0;
431	}	467	}
432	make_table(decode_data, NC, decode_data->c_len, 12, decode_data->c_table, CTABLESIZE);	468	if (make_table(decode_data, NC, decode_data->c_len, 12, decode_data->c_table, CTABLESIZE) != CL_SUCCESS) {
		469	return CL_EARJ;
		470	}
433	}	471	}
434	return CL_SUCCESS;	472	return CL_SUCCESS;
435	}	473	}
Lines 452-457 Link Here
452	do {	490	do {
453	if (j >= (2 * NC - 1)) {	491	if (j >= (2 * NC - 1)) {
454	cli_warnmsg("ERROR: bounds exceeded\n");	492	cli_warnmsg("ERROR: bounds exceeded\n");
		493	decode_data->status = CL_EARJ;
455	return 0;	494	return 0;
456	}	495	}
457	if (decode_data->bit_buf & mask) {	496	if (decode_data->bit_buf & mask) {
Lines 476-481 Link Here
476	do {	515	do {
477	if (j >= (2 * NC - 1)) {	516	if (j >= (2 * NC - 1)) {
478	cli_warnmsg("ERROR: bounds exceeded\n");	517	cli_warnmsg("ERROR: bounds exceeded\n");
		518	decode_data->status = CL_EARJ;
479	return 0;	519	return 0;
480	}	520	}
481	if (decode_data->bit_buf & mask) {	521	if (decode_data->bit_buf & mask) {
Lines 510-517 Link Here
510	decode_data.comp_size = metadata->comp_size;	550	decode_data.comp_size = metadata->comp_size;
511	ret = decode_start(&decode_data);	551	ret = decode_start(&decode_data);
512	if (ret != CL_SUCCESS) {	552	if (ret != CL_SUCCESS) {
		553	free(decode_data.text);
513	return ret;	554	return ret;
514	}	555	}
		556	decode_data.status = CL_SUCCESS;
515		557
516	while (count < metadata->orig_size) {	558	while (count < metadata->orig_size) {
517	if ((chr = decode_c(&decode_data)) <= UCHAR_MAX) {	559	if ((chr = decode_c(&decode_data)) <= UCHAR_MAX) {
Lines 519-525 Link Here
519	count++;	561	count++;
520	if (++out_ptr >= DDICSIZ) {	562	if (++out_ptr >= DDICSIZ) {
521	out_ptr = 0;	563	out_ptr = 0;
522	write_text(metadata->ofd, decode_data.text, DDICSIZ);	564	if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
		565	free(decode_data.text);
		566	return CL_EIO;
		567	}
523	}	568	}
524	} else {	569	} else {
525	j = chr - (UCHAR_MAX + 1 - THRESHOLD);	570	j = chr - (UCHAR_MAX + 1 - THRESHOLD);
Lines 541-547 Link Here
541	decode_data.text[out_ptr] = decode_data.text[i];	586	decode_data.text[out_ptr] = decode_data.text[i];
542	if (++out_ptr >= DDICSIZ) {	587	if (++out_ptr >= DDICSIZ) {
543	out_ptr = 0;	588	out_ptr = 0;
544	write_text(metadata->ofd, decode_data.text, DDICSIZ);	589	if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
		590	free(decode_data.text);
		591	return CL_EIO;
		592	}
545	}	593	}
546	if (++i >= DDICSIZ) {	594	if (++i >= DDICSIZ) {
547	i = 0;	595	i = 0;
Lines 549-554 Link Here
549	}	597	}
550	}	598	}
551	}	599	}
		600	if (decode_data.status != CL_SUCCESS) {
		601	free(decode_data.text);
		602	return decode_data.status;
		603	}
552	}	604	}
553	if (out_ptr != 0) {	605	if (out_ptr != 0) {
554	write_text(metadata->ofd, decode_data.text, out_ptr);	606	write_text(metadata->ofd, decode_data.text, out_ptr);
Lines 625-645 Link Here
625	return ret;	677	return ret;
626	}	678	}
627	decode_data.getlen = decode_data.getbuf = 0;	679	decode_data.getlen = decode_data.getbuf = 0;
628		680	decode_data.status = CL_SUCCESS;
		681
629	while (count < metadata->orig_size) {	682	while (count < metadata->orig_size) {
630	chr = decode_len(&decode_data);	683	chr = decode_len(&decode_data);
		684	if (decode_data.status != CL_SUCCESS) {
		685	free(decode_data.text);
		686	return decode_data.status;
		687	}
631	if (chr == 0) {	688	if (chr == 0) {
632	ARJ_GETBITS(dd, chr, CHAR_BIT);	689	ARJ_GETBITS(dd, chr, CHAR_BIT);
		690	if (decode_data.status != CL_SUCCESS) {
		691	free(decode_data.text);
		692	return decode_data.status;
		693	}
633	decode_data.text[out_ptr] = (unsigned char) chr;	694	decode_data.text[out_ptr] = (unsigned char) chr;
634	count++;	695	count++;
635	if (++out_ptr >= DDICSIZ) {	696	if (++out_ptr >= DDICSIZ) {
636	out_ptr = 0;	697	out_ptr = 0;
637	write_text(metadata->ofd, decode_data.text, DDICSIZ);	698	if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
		699	free(decode_data.text);
		700	return CL_EIO;
		701	}
638	}	702	}
639	} else {	703	} else {
640	j = chr - 1 + THRESHOLD;	704	j = chr - 1 + THRESHOLD;
641	count += j;	705	count += j;
642	pos = decode_ptr(&decode_data);	706	pos = decode_ptr(&decode_data);
		707	if (decode_data.status != CL_SUCCESS) {
		708	free(decode_data.text);
		709	return decode_data.status;
		710	}
643	if ((i = out_ptr - pos - 1) < 0) {	711	if ((i = out_ptr - pos - 1) < 0) {
644	i += DDICSIZ;	712	i += DDICSIZ;
645	}	713	}
Lines 651-657 Link Here
651	decode_data.text[out_ptr] = decode_data.text[i];	719	decode_data.text[out_ptr] = decode_data.text[i];
652	if (++out_ptr >= DDICSIZ) {	720	if (++out_ptr >= DDICSIZ) {
653	out_ptr = 0;	721	out_ptr = 0;
654	write_text(metadata->ofd, decode_data.text, DDICSIZ);	722	if (write_text(metadata->ofd, decode_data.text, DDICSIZ) != CL_SUCCESS) {
		723	free(decode_data.text);
		724	return CL_EIO;
		725	}
655	}	726	}
656	if (++i >= DDICSIZ) {	727	if (++i >= DDICSIZ) {
657	i = 0;	728	i = 0;
Lines 1012-1021 Link Here
1012	case 1:	1083	case 1:
1013	case 2:	1084	case 2:
1014	case 3:	1085	case 3:
1015	decode(fd, metadata);	1086	ret = decode(fd, metadata);
1016	break;	1087	break;
1017	case 4:	1088	case 4:
1018	decode_f(fd, metadata);	1089	ret = decode_f(fd, metadata);
1019	break;	1090	break;
1020	default:	1091	default:
1021	ret = CL_EFORMAT;	1092	ret = CL_EFORMAT;