From 7b676a727bc78c32fed2c8d5da166ef382a3b1c3 Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Tue, 30 May 2023 15:35:55 -0700 Subject: [PATCH] Abort signature load for short signature patterns If a signature has a pattern that is too short will fail to load the siganture but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of #1, it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: https://github.com/Cisco-Talos/clamav/issues/923 --- libclamav/matcher-ac.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libclamav/matcher-ac.c b/libclamav/matcher-ac.c index 2ae8cdda19..708f79a458 100644 --- a/libclamav/matcher-ac.c +++ b/libclamav/matcher-ac.c @@ -2951,6 +2951,7 @@ cl_error_t cli_ac_addsig(struct cli_matcher *root, const char *virname, const ch cli_warnmsg("cli_ac_addsig: cannot use filter for trie\n"); MPOOL_FREE(root->mempool, root->filter); root->filter = NULL; + return CL_EMALFDB; } /* TODO: should this affect maxpatlen? */