← Back to branch summary

~ubuntu-branches/ubuntu/precise/clamav/precise-updates

« back to all changes in this revision

Viewing changes to libclamav/upx.c

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-01-30 09:01:52 UTC
  • mfrom: (118.1.5 precise-security)
  • Revision ID: package-import@ubuntu.com-20150130090152-es6oz6eg0wsa4r40
Tags: 0.98.6+dfsg-0ubuntu0.12.04.1
* Updated to 0.98.6 to fix security issues, including CVE-2014-9328.
* Removed upstreamed patches:
  - d/p/0002-Add-an-additional-n-after-the-number-in-the-pidfile.patch
  - d/p/0017-Bump-.so-version-number.patch

Show diffs side-by-side

added added

removed removed

Lines of Context:
libclamav/upx.c
222
222
    cli_writeint32(sections+12, urva);
223
223
    cli_writeint32(sections+16, vsize);
224
224
    cli_writeint32(sections+20, foffset);
 
225
    if (foffset + vsize < foffset) {
 
226
        /* Integer overflow */
 
227
        return 0;
 
228
    }
225
229
    foffset+=vsize;
226
230
    
227
231
    sections+=0x28;
239
243
  memcpy(newbuf+0xd0, pehdr,0xf8+0x28*sectcnt);
240
244
  sections = pehdr+0xf8;
241
245
  for (upd = 0; upd <sectcnt ; upd++) {
242
 
    memcpy(newbuf+cli_readint32(sections+20), dst+cli_readint32(sections+12)-upx0, cli_readint32(sections+16));
 
246
      uint32_t offset1, offset2, offset3;
 
247
      offset1 = (uint32_t)cli_readint32(sections+20);
 
248
      offset2 = (uint32_t)cli_readint32(sections+16);
 
249
      if (offset1 > foffset || offset2 > foffset || offset1 + offset2 > foffset) {
 
250
          free(newbuf);
 
251
          return 1;
 
252
      }
 
253
 
 
254
      offset3 = (uint32_t)cli_readint32(sections+12);
 
255
      if (offset3-upx0 > *dsize) {
 
256
          free(newbuf);
 
257
          return 1;
 
258
      }
 
259
    memcpy(newbuf+offset1, dst+offset3-upx0, offset2);
243
260
    sections+=0x28;
244
261
  }
245
262