Attachment #71477 for bug #109213

View | Details | Raw Unified | Return to bug 109213
Collapse All | Expand All





    return close(d);
}

/* Implement a generic bitset, trog@clamav.net */

#define BITS_PER_CHAR (8)
#define BITSET_DEFAULT_SIZE (1024)
#define FALSE (0)
#define TRUE (1)

static unsigned long nearest_power(unsigned long num)
{
	unsigned long n = BITSET_DEFAULT_SIZE;

	while (n < num) {
		n <<= 1;
		if (n == 0) {
			return num;
		}
	}
	return n;
}

bitset_t *cli_bitset_init()
{
	bitset_t *bs;
	
	bs = cli_malloc(sizeof(bitset_t));
	if (!bs) {
		return NULL;
	}
	bs->length = BITSET_DEFAULT_SIZE;
	bs->bitset = cli_calloc(BITSET_DEFAULT_SIZE, 1);
	return bs;
}

void cli_bitset_free(bitset_t *bs)
{
	if (!bs) {
		return;
	}
	if (bs->bitset) {
		free(bs->bitset);
	}
	free(bs);
}

static bitset_t *bitset_realloc(bitset_t *bs, unsigned long min_size)
{
	unsigned long new_length;
	
	new_length = nearest_power(min_size);
	bs->bitset = (unsigned char *) cli_realloc(bs->bitset, new_length);
	if (!bs->bitset) {
		return NULL;
	}
	memset(bs->bitset+bs->length, 0, new_length-bs->length);
	bs->length = new_length;
	return bs;
}

int cli_bitset_set(bitset_t *bs, unsigned long bit_offset)
{
	unsigned long char_offset;
	
	char_offset = bit_offset / BITS_PER_CHAR;
	bit_offset = bit_offset % BITS_PER_CHAR;

	if (char_offset >= bs->length) {
		bs = bitset_realloc(bs, char_offset+1);
		if (!bs) {
			return FALSE;
		}
	}
	bs->bitset[char_offset] |= ((unsigned char)1 << bit_offset);
	return TRUE;
}

int cli_bitset_test(bitset_t *bs, unsigned long bit_offset)
{
	unsigned long char_offset;
	
	char_offset = bit_offset / BITS_PER_CHAR;
	bit_offset = bit_offset % BITS_PER_CHAR;
	
	return (bs->bitset[char_offset] & ((unsigned char)1 << bit_offset));
}




	int32_t sbat_root_start __attribute__ ((packed));
	unsigned char *m_area;
	off_t m_length;
	bitset_t *bitset;
} ole2_header_t;

typedef struct property_tag

	if ((prop_index < 0) || (rec_level > 100) || (*file_count > 100000)) {
		return;
	}

	if (limits && limits->maxfiles && (*file_count > limits->maxfiles)) {
		cli_dbgmsg("OLE2: File limit reached (max: %d)\n", limits->maxfiles);
		return;

	prop_block[index].size = ole2_endian_convert_32(prop_block[index].size);
	
	print_ole2_property(&prop_block[index]);

	/* Check we aren't in a loop */
	if (cli_bitset_test(hdr->bitset, (unsigned long) prop_index)) {
		/* Loop in property tree detected */
		cli_dbgmsg("OLE2: Property tree loop detected at index %d\n", prop_index);
		return;
	}
	if (!cli_bitset_set(hdr->bitset, (unsigned long) prop_index)) {
		return;
	}

	switch (prop_block[index].type) {
		case 5: /* Root Entry */
			if ((prop_index != 0) || (rec_level !=0) ||

	
	/* size of header - size of other values in struct */
	hdr_size = sizeof(struct ole2_header_tag) - sizeof(int32_t) -
			sizeof(unsigned char *) - sizeof(off_t) - sizeof(bitset_t *);

	hdr.m_area = NULL;


	hdr.xbat_count = ole2_endian_convert_32(hdr.xbat_count);

	hdr.sbat_root_start = -1;

	hdr.bitset = cli_bitset_init();
	if (!hdr.bitset) {
		return CL_EOLE2;
	}

	if (strncmp(hdr.magic, magic_id, 8) != 0) {
		cli_dbgmsg("OLE2 magic failed!\n");
#ifdef HAVE_MMAP

			munmap(hdr.m_area, hdr.m_length);
		}
#endif
		cli_bitset_free(hdr.bitset);
		return CL_EOLE2;
	}


		munmap(hdr.m_area, hdr.m_length);
	}
#endif
	cli_bitset_free(hdr.bitset);
	return 0;
}

Return to bug 109213

Lines 681-683 Link Here

(-)clamav/clamav-devel/libclamav/others.c (+85 lines)
681		681
682	return close(d);	682	return close(d);
683	}	683	}
		684
		685	/* Implement a generic bitset, trog@clamav.net */
		686
		687	#define BITS_PER_CHAR (8)
		688	#define BITSET_DEFAULT_SIZE (1024)
		689	#define FALSE (0)
		690	#define TRUE (1)
		691
		692	static unsigned long nearest_power(unsigned long num)
		693	{
		694	unsigned long n = BITSET_DEFAULT_SIZE;
		695
		696	while (n < num) {
		697	n <<= 1;
		698	if (n == 0) {
		699	return num;
		700	}
		701	}
		702	return n;
		703	}
		704
		705	bitset_t *cli_bitset_init()
		706	{
		707	bitset_t *bs;
		708
		709	bs = cli_malloc(sizeof(bitset_t));
		710	if (!bs) {
		711	return NULL;
		712	}
		713	bs->length = BITSET_DEFAULT_SIZE;
		714	bs->bitset = cli_calloc(BITSET_DEFAULT_SIZE, 1);
		715	return bs;
		716	}
		717
		718	void cli_bitset_free(bitset_t *bs)
		719	{
		720	if (!bs) {
		721	return;
		722	}
		723	if (bs->bitset) {
		724	free(bs->bitset);
		725	}
		726	free(bs);
		727	}
		728
		729	static bitset_t bitset_realloc(bitset_t bs, unsigned long min_size)
		730	{
		731	unsigned long new_length;
		732
		733	new_length = nearest_power(min_size);
		734	bs->bitset = (unsigned char *) cli_realloc(bs->bitset, new_length);
		735	if (!bs->bitset) {
		736	return NULL;
		737	}
		738	memset(bs->bitset+bs->length, 0, new_length-bs->length);
		739	bs->length = new_length;
		740	return bs;
		741	}
		742
		743	int cli_bitset_set(bitset_t *bs, unsigned long bit_offset)
		744	{
		745	unsigned long char_offset;
		746
		747	char_offset = bit_offset / BITS_PER_CHAR;
748	bit_offset = bit_offset % BITS_PER_CHAR;
749
750	if (char_offset >= bs->length) {
751	bs = bitset_realloc(bs, char_offset+1);
752	if (!bs) {
753	return FALSE;
754	}
755	}
756	bs->bitset[char_offset] \|= ((unsigned char)1 << bit_offset);
757	return TRUE;
758	}
759
760	int cli_bitset_test(bitset_t *bs, unsigned long bit_offset)
761	{
762	unsigned long char_offset;
763
764	char_offset = bit_offset / BITS_PER_CHAR;
765	bit_offset = bit_offset % BITS_PER_CHAR;
766
767	return (bs->bitset[char_offset] & ((unsigned char)1 << bit_offset));
768	}

Lines 111-116 Link Here

(-)clamav/clamav-devel/libclamav/ole2_extract.c (-3 / +22 lines)
111	int32_t sbat_root_start __attribute__ ((packed));	111	int32_t sbat_root_start __attribute__ ((packed));
112	unsigned char *m_area;	112	unsigned char *m_area;
113	off_t m_length;	113	off_t m_length;
		114	bitset_t *bitset;
114	} ole2_header_t;	115	} ole2_header_t;
115		116
116	typedef struct property_tag	117	typedef struct property_tag
Lines 468-474 Link Here
468	if ((prop_index < 0) \|\| (rec_level > 100) \|\| (*file_count > 100000)) {	469	if ((prop_index < 0) \|\| (rec_level > 100) \|\| (*file_count > 100000)) {
469	return;	470	return;
470	}	471	}
471		472
472	if (limits && limits->maxfiles && (*file_count > limits->maxfiles)) {	473	if (limits && limits->maxfiles && (*file_count > limits->maxfiles)) {
473	cli_dbgmsg("OLE2: File limit reached (max: %d)\n", limits->maxfiles);	474	cli_dbgmsg("OLE2: File limit reached (max: %d)\n", limits->maxfiles);
474	return;	475	return;
Lines 507-512 Link Here
507	prop_block[index].size = ole2_endian_convert_32(prop_block[index].size);	508	prop_block[index].size = ole2_endian_convert_32(prop_block[index].size);
508		509
509	print_ole2_property(&prop_block[index]);	510	print_ole2_property(&prop_block[index]);
		511
		512	/* Check we aren't in a loop */
		513	if (cli_bitset_test(hdr->bitset, (unsigned long) prop_index)) {
		514	/* Loop in property tree detected */
		515	cli_dbgmsg("OLE2: Property tree loop detected at index %d\n", prop_index);
		516	return;
		517	}
		518	if (!cli_bitset_set(hdr->bitset, (unsigned long) prop_index)) {
		519	return;
		520	}
		521
510	switch (prop_block[index].type) {	522	switch (prop_block[index].type) {
511	case 5: /* Root Entry */	523	case 5: /* Root Entry */
512	if ((prop_index != 0) \|\| (rec_level !=0) \|\|	524	if ((prop_index != 0) \|\| (rec_level !=0) \|\|
Lines 745-751 Link Here
745		757
746	/* size of header - size of other values in struct */	758	/* size of header - size of other values in struct */
747	hdr_size = sizeof(struct ole2_header_tag) - sizeof(int32_t) -	759	hdr_size = sizeof(struct ole2_header_tag) - sizeof(int32_t) -
748	sizeof(unsigned char *) - sizeof(off_t);	760	sizeof(unsigned char ) - sizeof(off_t) - sizeof(bitset_t );
749		761
750	hdr.m_area = NULL;	762	hdr.m_area = NULL;
751		763
Lines 791-797 Link Here
791	hdr.xbat_count = ole2_endian_convert_32(hdr.xbat_count);	803	hdr.xbat_count = ole2_endian_convert_32(hdr.xbat_count);
792		804
793	hdr.sbat_root_start = -1;	805	hdr.sbat_root_start = -1;
794		806
		807	hdr.bitset = cli_bitset_init();
		808	if (!hdr.bitset) {
		809	return CL_EOLE2;
		810	}
		811
795	if (strncmp(hdr.magic, magic_id, 8) != 0) {	812	if (strncmp(hdr.magic, magic_id, 8) != 0) {
796	cli_dbgmsg("OLE2 magic failed!\n");	813	cli_dbgmsg("OLE2 magic failed!\n");
797	#ifdef HAVE_MMAP	814	#ifdef HAVE_MMAP
Lines 799-804 Link Here
799	munmap(hdr.m_area, hdr.m_length);	816	munmap(hdr.m_area, hdr.m_length);
800	}	817	}
801	#endif	818	#endif
		819	cli_bitset_free(hdr.bitset);
802	return CL_EOLE2;	820	return CL_EOLE2;
803	}	821	}
804		822
Lines 831-835 Link Here
831	munmap(hdr.m_area, hdr.m_length);	849	munmap(hdr.m_area, hdr.m_length);
832	}	850	}
833	#endif	851	#endif
		852	cli_bitset_free(hdr.bitset);
834	return 0;	853	return 0;
835	}	854	}