libclamav: bb #7055

Cisco-Talos · Apr 5, 2013 · 270e368 · 270e368
1 parent 24ff855
commit 270e368
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 10 deletions.
diff --git a/NEWS b/NEWS
@@ -1,8 +1,8 @@
-0.97.7
+0.97.8
 ------
-ClamAV 0.97.7 addresses several reported potential security bugs.  Thanks to
-Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind of the Google Security
-Team for finding and reporting these issues.
+ClamAV 0.97.8 addresses several reported potential security bugs.  Thanks to
+Felix Groebert of the Google Security Team for finding and reporting these
+issues.
 
 --
 The ClamAV team (http://www.clamav.net/team)
diff --git a/README b/README
@@ -1,6 +1,12 @@
 Note: This README/NEWS file refers to the source tarball. Some things described
 here may not be available in binary packages.
 --
+0.97.8
+------
+ClamAV 0.97.8 addresses several reported potential security bugs.  Thanks to
+Felix Groebert of the Google Security Team for finding and reporting these
+issues.
+
 0.97.7
 ------
 ClamAV 0.97.7 addresses several reported potential security bugs.  Thanks to

diff --git a/libclamav/pe.c b/libclamav/pe.c
@@ -1868,13 +1868,21 @@ int cli_scanpe(cli_ctx *ctx)
 
 	    if(epbuff[1] != '\xbe' || skew <= 0 || skew > 0xfff) { /* FIXME: legit skews?? */
 		skew = 0; 
-		if(upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
-		    upx_success = 1;
-
-	    } else {
+	    }
+	    else if(skew > ssize) {
+		/* Ignore suggested skew larger than section size */
+		cli_dbgmsg("UPX: Ignoring bad skew of %d bytes\n", skew);
+		skew = 0;
+	    }
+	    else {
 		cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
-		if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 || upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
-		    upx_success = 1;
+	    }
+
+	    if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 || upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0) {
+		upx_success = 1;
+	    }
+	    else if(skew && (upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
+		upx_success = 1;
 	    }
 
 	    if(upx_success)