Fix for CVE-2008-3912, applied upstream in 0.94
svn diff -c 4158 http://svn.clamav.net/svn/clamav-devel/trunk/
diff -pruN clamav-0.93.3.orig/libclamav/mbox.c clamav-0.93.3/libclamav/mbox.c
--- clamav-0.93.3.orig/libclamav/mbox.c 2008-06-04 14:13:34.000000000 +0200
+++ clamav-0.93.3/libclamav/mbox.c 2008-11-13 18:10:37.000000000 +0100
@@ -1463,6 +1463,8 @@ cli_parse_mbox(const char *dir, int desc
}
}
+ if(body->isTruncated && retcode == CL_SUCCESS)
+ retcode = CL_EMEM;
/*
* Tidy up and quit
*/
@@ -1639,6 +1641,11 @@ parseEmailFile(FILE *fin, const table_t
}
fullline = cli_strdup(line);
fulllinelength = strlen(line) + 1;
+ if(!fullline) {
+ if(ret)
+ ret->isTruncated = TRUE;
+ break;
+ }
} else if(line != NULL) {
fulllinelength += strlen(line);
ptr = cli_realloc(fullline, fulllinelength);
diff -pruN clamav-0.93.3.orig/libclamav/message.c clamav-0.93.3/libclamav/message.c
--- clamav-0.93.3.orig/libclamav/message.c 2008-04-14 21:03:06.000000000 +0200
+++ clamav-0.93.3/libclamav/message.c 2008-11-13 18:10:37.000000000 +0100
@@ -1819,14 +1819,13 @@ messageToText(message *m)
for(t_line = messageGetBody(m); t_line; t_line = t_line->t_next) {
if(first == NULL)
first = last = cli_malloc(sizeof(text));
- else {
+ else if (last) {
last->t_next = cli_malloc(sizeof(text));
last = last->t_next;
}
if(last == NULL) {
if(first) {
- last->t_next = NULL;
textDestroy(first);
}
return NULL;
@@ -1840,7 +1839,8 @@ messageToText(message *m)
case UUENCODE:
cli_errmsg("messageToText: Unexpected attempt to handle uuencoded file - report to http://bugs.clamav.net\n");
if(first) {
- last->t_next = NULL;
+ if(last)
+ last->t_next = NULL;
textDestroy(first);
}
return NULL;
@@ -1850,7 +1850,8 @@ messageToText(message *m)
if(t_line == NULL) {
/*cli_warnmsg("YENCODED attachment is missing begin statement\n");*/
if(first) {
- last->t_next = NULL;
+ if(last)
+ last->t_next = NULL;
textDestroy(first);
}
return NULL;
@@ -1886,7 +1887,7 @@ messageToText(message *m)
if(first == NULL)
first = last = cli_malloc(sizeof(text));
- else {
+ else if (last) {
last->t_next = cli_malloc(sizeof(text));
last = last->t_next;
}
@@ -1924,7 +1925,7 @@ messageToText(message *m)
if(decode(m, NULL, data, base64, FALSE) && data[0]) {
if(first == NULL)
first = last = cli_malloc(sizeof(text));
- else {
+ else if (last) {
last->t_next = cli_malloc(sizeof(text));
last = last->t_next;
}
diff -pruN clamav-0.93.3.orig/libclamav/message.h clamav-0.93.3/libclamav/message.h
--- clamav-0.93.3.orig/libclamav/message.h 2008-04-02 22:17:27.000000000 +0200
+++ clamav-0.93.3/libclamav/message.h 2008-11-13 18:10:37.000000000 +0100
@@ -46,6 +46,7 @@ typedef struct message {
char base64_1, base64_2, base64_3;
unsigned int isInfected : 1;
+ unsigned int isTruncated : 1;
} message;