File clamav-zipbomb.patch of Package clamav.14692
--- libclamav/unzip.c.orig
+++ libclamav/unzip.c
@@ -54,6 +54,8 @@
#define UNZIP_PRIVATE
#include "unzip.h"
+#define ZIP_MAX_NUM_OVERLAPPING_FILES 5
+
#define ZIP_CRC32(r,c,b,l) \
do { \
r = crc32(~c,b,l); \
@@ -500,7 +502,7 @@ static inline int zdecrypt(const uint8_t
return CL_SUCCESS;
}
-static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int *fu, unsigned int fc, const uint8_t *ch, int *ret, cli_ctx *ctx, char *tmpd, int detect_encrypted, zip_cb zcb) {
+static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int *fu, unsigned int fc, const uint8_t *ch, int *ret, cli_ctx *ctx, char *tmpd, int detect_encrypted, zip_cb zcb, uint32_t *file_local_header_size, uint32_t* file_local_data_size) {
const uint8_t *lh, *zip;
char name[256];
uint32_t csize, usize;
@@ -581,6 +583,11 @@ static unsigned int lhdr(fmap_t *map, ui
zip+=LH_elen;
zsize-=LH_elen;
+ if (NULL != file_local_header_size)
+ *file_local_header_size = zip - lh;
+ if (NULL != file_local_data_size)
+ *file_local_data_size = csize;
+
if (!csize) { /* FIXME: what's used for method0 files? csize or usize? Nothing in the specs, needs testing */
cli_dbgmsg("cli_unzip: lh - skipping empty file\n");
} else {
@@ -624,12 +631,19 @@ static unsigned int lhdr(fmap_t *map, ui
return zip-lh;
}
-static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, struct zip_requests *requests) {
+static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, struct zip_requests *requests, uint32_t *file_local_offset, uint32_t *file_local_header_size, uint32_t *file_local_data_size) {
char name[256];
int last = 0;
const uint8_t *ch;
int virus_found = 0;
+ if (NULL != file_local_offset)
+ *file_local_offset = 0;
+ if (NULL != file_local_header_size)
+ *file_local_header_size = 0;
+ if (NULL != file_local_data_size)
+ *file_local_data_size = 0;
+
if(!(ch = fmap_need_off(map, coff, SIZEOF_CH)) || CH_magic != 0x02014b50) {
if(ch) fmap_unneed_ptr(map, ch, SIZEOF_CH);
cli_dbgmsg("cli_unzip: ch - wrkcomplete\n");
@@ -674,7 +688,9 @@ static unsigned int chdr(fmap_t *map, ui
if (!requests) {
if(CH_off<zsize-SIZEOF_LH) {
- lhdr(map, CH_off, zsize-CH_off, fu, fc, ch, ret, ctx, tmpd, 1, zip_scan_cb);
+ if (NULL != file_local_offset)
+ *file_local_offset = CH_off;
+ lhdr(map, CH_off, zsize-CH_off, fu, fc ,ch, ret, ctx, tmpd, 1, zip_scan_cb, file_local_header_size, file_local_data_size);
} else cli_dbgmsg("cli_unzip: ch - local hdr out of file\n");
}
else {
@@ -712,6 +728,13 @@ int cli_unzip(cli_ctx *ctx) {
#if HAVE_JSON
int toval = 0;
#endif
+ int bZipBombDetected = 0;
+ uint32_t cur_file_local_offset = 0;
+ uint32_t cur_file_local_header_size = 0;
+ uint32_t cur_file_local_data_size = 0;
+ uint32_t prev_file_local_offset = 0;
+ uint32_t prev_file_local_header_size = 0;
+ uint32_t prev_file_local_data_size = 0;
cli_dbgmsg("in cli_unzip\n");
fsize = (uint32_t)map->len;
@@ -744,20 +767,47 @@ int cli_unzip(cli_ctx *ctx) {
}
if(coff) {
+ uint32_t nOverlappingFiles = 0;
+
cli_dbgmsg("cli_unzip: central @%x\n", coff);
- while((coff=chdr(map, coff, fsize, &fu, fc+1, &ret, ctx, tmpd, NULL))) {
+ while((coff=chdr(map, coff, fsize, &fu, fc+1, &ret, ctx, tmpd, NULL, &cur_file_local_offset, &cur_file_local_header_size, &cur_file_local_data_size))) {
fc++;
if (ctx->engine->maxfiles && fu>=ctx->engine->maxfiles) {
cli_dbgmsg("cli_unzip: Files limit reached (max: %u)\n", ctx->engine->maxfiles);
ret=CL_EMAXFILES;
}
+ /*
+ * Detect overlapping files and zip bombs.
+ */
+ if ((((cur_file_local_offset > prev_file_local_offset) && (cur_file_local_offset < prev_file_local_offset + prev_file_local_header_size + prev_file_local_data_size)) ||
+ ((prev_file_local_offset > cur_file_local_offset) && (prev_file_local_offset < cur_file_local_offset + cur_file_local_header_size + cur_file_local_data_size))) &&
+ (cur_file_local_header_size + cur_file_local_data_size > 0)) {
+ /* Overlapping file detected */
+ nOverlappingFiles++;
+
+ cli_dbgmsg("clip_unzip: Overlapping files detected.\n");
+ cli_dbgmsg(" previous file end: %u\n", prev_file_local_offset + prev_file_local_header_size + prev_file_local_data_size);
+ cli_dbgmsg(" current file start: %u\n", cur_file_local_offset);
+ if (ZIP_MAX_NUM_OVERLAPPING_FILES < nOverlappingFiles) {
+ if (SCAN_ALGO) {
+ ret = cli_append_virus(ctx, "Heuristics.Zip.OverlappingFiles");
+ virus_found = 1;
+ } else {
+ ret = CL_EFORMAT;
+ }
+ bZipBombDetected = 1;
+ }
+ }
+ prev_file_local_offset = cur_file_local_offset;
+ prev_file_local_header_size = cur_file_local_header_size;
+ prev_file_local_data_size = cur_file_local_data_size;
#if HAVE_JSON
if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS) {
ret=CL_ETIMEOUT;
}
#endif
if (ret != CL_CLEAN) {
- if (ret == CL_VIRUS && SCAN_ALL) {
+ if (ret == CL_VIRUS && SCAN_ALL && !bZipBombDetected) {
ret = CL_CLEAN;
virus_found = 1;
} else
@@ -769,7 +819,7 @@ int cli_unzip(cli_ctx *ctx) {
ret = CL_VIRUS;
if(fu<=(fc/4)) { /* FIXME: make up a sane ratio or remove the whole logic */
fc = 0;
- while (ret==CL_CLEAN && lhoff<fsize && (coff=lhdr(map, lhoff, fsize-lhoff, &fu, fc+1, NULL, &ret, ctx, tmpd, 1, zip_scan_cb))) {
+ while (ret==CL_CLEAN && lhoff<fsize && (coff=lhdr(map, lhoff, fsize-lhoff, &fu, fc+1, NULL, &ret, ctx, tmpd, 1, zip_scan_cb, NULL, NULL))) {
fc++;
lhoff+=coff;
if (SCAN_ALL && ret == CL_VIRUS) {
@@ -816,7 +866,7 @@ int unzip_single_internal(cli_ctx *ctx,
return CL_CLEAN;
}
- lhdr(map, lhoffl, fsize, &fu, 0, NULL, &ret, ctx, NULL, 0, zcb);
+ lhdr(map, lhoffl, fsize, &fu, 0, NULL, &ret, ctx, NULL, 0, zcb, NULL, NULL);
return ret;
}
@@ -886,7 +936,7 @@ int unzip_search(cli_ctx *ctx, fmap_t *m
if(coff) {
cli_dbgmsg("unzip_search: central @%x\n", coff);
- while(ret==CL_CLEAN && (coff=chdr(zmap, coff, fsize, NULL, fc+1, &ret, ctx, NULL, requests))) {
+ while(ret==CL_CLEAN && (coff=chdr(zmap, coff, fsize, NULL, fc+1, &ret, ctx, NULL, requests, NULL, NULL, NULL))) {
if (requests->match) {
ret=CL_VIRUS;
}
