On Thu, Jul 14, 2005 at 06:59:07PM +0200, q# wrote:
> Hi,
>
> I've found in my squid log CAB[1] file which clamav can't unpack properly.
> Tested on stable (0.86.1) and devel (20050714). When cabextract'ed this
> file clamav finds trojan properly.
>
> References
> 1. http://www9.advnt01.com/dialer/internazionale_98_ver11.CAB
After changes[2] made by tk in cvs, I've corrected little output
from -debug mode, patch attached.
ps. This thread[3] was on clamav-users, but I've should send it to
clamav-devel, my mistake.
References
2.
http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/ChangeLog?r1=1.1170&r2=1.1171&sortby=date
3. http://lurker.clamav.net/message/20050714.165907.ab744d33.en.html
--
best regards
q#
Index: cabd.c
===================================================================
RCS file: /cvsroot/clamav/clamav-devel/libclamav/mspack/cabd.c,v
retrieving revision 1.5
diff -u -r1.5 cabd.c
--- cabd.c 20 Jul 2005 01:55:58 -0000 1.5
+++ cabd.c 21 Jul 2005 09:00:00 -0000
@@ -510,7 +510,7 @@
if (!ifol) {
sys->free(file);
- D(("invalid folder index"))
+ D(("invalid folder index\n"))
return MSPACK_ERR_DATAFORMAT;
}
}
@@ -852,7 +852,7 @@
} /* for (... offset < length ...) */
if (false_cabs) {
- D(("%d false cabinets found", false_cabs))
+ D(("%d false cabinets found\n", false_cabs))
}
return MSPACK_ERR_OK;
@@ -896,22 +896,22 @@
/* basic args check */
if (!lcab || !rcab || (lcab == rcab)) {
- D(("lcab NULL, rcab NULL or lcab = rcab"))
+ D(("lcab NULL, rcab NULL or lcab = rcab\n"))
return this->error = MSPACK_ERR_ARGS;
}
/* check there's not already a cabinet attached */
if (lcab->nextcab || rcab->prevcab) {
- D(("cabs already joined"))
+ D(("cabs already joined\n"))
return this->error = MSPACK_ERR_ARGS;
}
/* do not create circular cabinet chains */
for (cab = lcab->prevcab; cab; cab = cab->prevcab) {
- if (cab == rcab) {D(("circular!")) return this->error = MSPACK_ERR_ARGS;}
+ if (cab == rcab) {D(("circular!\n")) return this->error = MSPACK_ERR_ARGS;}
}
for (cab = rcab->nextcab; cab; cab = cab->nextcab) {
- if (cab == lcab) {D(("circular!")) return this->error = MSPACK_ERR_ARGS;}
+ if (cab == lcab) {D(("circular!\n")) return this->error = MSPACK_ERR_ARGS;}
}
/* warn about odd set IDs or indices */
@@ -948,18 +948,18 @@
/* folder merge required */
if (!lfol->merge_next) {
- D(("rcab has merge files, lcab doesn't"))
+ D(("rcab has merge files, lcab doesn't\n"))
return this->error = MSPACK_ERR_DATAFORMAT;
}
if (!rfol->merge_prev) {
- D(("lcab has merge files, rcab doesn't"))
+ D(("lcab has merge files, rcab doesn't\n"))
return this->error = MSPACK_ERR_DATAFORMAT;
}
/* check that both folders use the same compression method/settings */
if (lfol->base.comp_type != rfol->base.comp_type) {
- D(("compression type mismatch"))
+ D(("compression type mismatch\n"))
return this->error = MSPACK_ERR_DATAFORMAT;
}
@@ -970,7 +970,7 @@
rfi = rfol->merge_prev;
while (lfi) {
if (!rfi || (lfi->offset != rfi->offset)) {
- D(("folder merge mismatch"))
+ D(("folder merge mismatch\n"))
return this->error = MSPACK_ERR_DATAFORMAT;
}
lfi = lfi->next;
@@ -1343,13 +1343,13 @@
/* blocks must not be over CAB_INPUTMAX in size */
len = EndGetI16(&hdr[cfdata_CompressedSize]);
if (((d->i_end - d->i_ptr) + len) > CAB_INPUTMAX) {
- D(("block size > CAB_INPUTMAX (%d + %d)", d->i_end - d->i_ptr, len))
+ D(("block size > CAB_INPUTMAX (%d + %d)\n", d->i_end - d->i_ptr, len))
return MSPACK_ERR_DATAFORMAT;
}
/* blocks must not expand to more than CAB_BLOCKMAX */
if (EndGetI16(&hdr[cfdata_UncompressedSize]) > CAB_BLOCKMAX) {
- D(("block size > CAB_BLOCKMAX"))
+ D(("block size > CAB_BLOCKMAX\n"))
return MSPACK_ERR_DATAFORMAT;
}
@@ -1388,7 +1388,7 @@
/* advance to next member in the cabinet set */
if (!(d->data = d->data->next)) {
- D(("ran out of splits in cabinet set"))
+ D(("ran out of splits in cabinet set\n"))
return MSPACK_ERR_DATAFORMAT;
}
Index: lzxd.c
===================================================================
RCS file: /cvsroot/clamav/clamav-devel/libclamav/mspack/lzxd.c,v
retrieving revision 1.2
diff -u -r1.2 lzxd.c
--- lzxd.c 12 Jun 2004 19:16:12 -0000 1.2
+++ lzxd.c 21 Jul 2005 09:00:01 -0000
@@ -138,7 +138,7 @@
* if those bits aren't used, so fake 2 more bytes */
if (read == 0) {
if (lzx->input_end) {
- D(("out of input bytes"))
+ D(("out of input bytes\n"))
return lzx->error = MSPACK_ERR_READ;
}
else {
@@ -172,7 +172,7 @@
/* one less bit. error if we run out of bits before decode */ \
i >>= 1; \
if (i == 0) { \
- D(("out of bits in huffman decode")) \
+ D(("out of bits in huffman decode\n")) \
return lzx->error = MSPACK_ERR_DECRUNCH; \
} \
/* double node index and add 0 (left branch) or 1 (right) */ \
@@ -194,7 +194,7 @@
if (make_decode_table(LZX_##tbl##_MAXSYMBOLS, LZX_##tbl##_TABLEBITS, \
&lzx->tbl##_len[0], &lzx->tbl##_table[0])) \
{ \
- D(("failed to build %s table", #tbl)) \
+ D(("failed to build %s table\n", #tbl)) \
return lzx->error = MSPACK_ERR_DECRUNCH; \
}
@@ -505,7 +505,7 @@
/* have we reached the reset interval? (if there is one?) */
if (lzx->reset_interval && ((lzx->frame % lzx->reset_interval) == 0)) {
if (lzx->block_remaining) {
- D(("%d bytes remaining at reset interval", lzx->block_remaining))
+ D(("%d bytes remaining at reset interval\n", lzx->block_remaining))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
@@ -551,7 +551,7 @@
READ_BITS(lzx->block_type, 3);
READ_BITS(i, 16); READ_BITS(j, 8);
lzx->block_remaining = lzx->block_length = (i << 8) | j;
- /*D(("new block t%d len %u", lzx->block_type, lzx->block_length))*/
+ /*D(("new block t%d len %u\n", lzx->block_type, lzx->block_length))*/
/* read individual block headers */
switch (lzx->block_type) {
@@ -596,7 +596,7 @@
break;
default:
- D(("bad block type"))
+ D(("bad block type\n"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
}
@@ -646,7 +646,7 @@
}
if ((window_posn + match_length) > lzx->window_size) {
- D(("match ran over window wrap"))
+ D(("match ran over window wrap\n"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
@@ -658,7 +658,7 @@
/* j = length from match offset to end of window */
j = match_offset - window_posn;
if (j > (int) lzx->window_size) {
- D(("match offset beyond window boundaries"))
+ D(("match offset beyond window boundaries\n"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
runsrc = &window[lzx->window_size - j];
@@ -735,7 +735,7 @@
}
if ((window_posn + match_length) > lzx->window_size) {
- D(("match ran over window wrap"))
+ D(("match ran over window wrap\n"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
@@ -747,7 +747,7 @@
/* j = length from match offset to end of window */
j = match_offset - window_posn;
if (j > (int) lzx->window_size) {
- D(("match offset beyond window boundaries"))
+ D(("match offset beyond window boundaries\n"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
runsrc = &window[lzx->window_size - j];
@@ -797,7 +797,7 @@
/* did the final match overrun our desired this_run length? */
if (this_run < 0) {
if ((unsigned int)(-this_run) > lzx->block_remaining) {
- D(("overrun went past end of block by %d (%d remaining)",
+ D(("overrun went past end of block by %d (%d remaining)\n",
-this_run, lzx->block_remaining ))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
@@ -807,7 +807,7 @@
/* streams don't extend over frame boundaries */
if ((window_posn - lzx->frame_posn) != frame_size) {
- D(("decode beyond output frame limits! %d != %d",
+ D(("decode beyond output frame limits! %d != %d\n",
window_posn - lzx->frame_posn, frame_size))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
@@ -818,7 +818,7 @@
/* check that we've used all of the previous frame first */
if (lzx->o_ptr != lzx->o_end) {
- D(("%d avail bytes, new %d frame", lzx->o_end-lzx->o_ptr, frame_size))
+ D(("%d avail bytes, new %d frame\n", lzx->o_end-lzx->o_ptr, frame_size))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
@@ -877,7 +877,7 @@
} /* while (lzx->frame < end_frame) */
if (out_bytes) {
- D(("bytes left to output"))
+ D(("bytes left to output\n"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
Index: mszipd.c
===================================================================
RCS file: /cvsroot/clamav/clamav-devel/libclamav/mspack/mszipd.c,v
retrieving revision 1.2
diff -u -r1.2 mszipd.c
--- mszipd.c 20 Jul 2005 01:55:58 -0000 1.2
+++ mszipd.c 21 Jul 2005 09:00:01 -0000
@@ -226,7 +226,7 @@
do { \
/* check next bit. error if we run out of bits before decode */ \
if (i++ > MSZIP_MAX_HUFFBITS) { \
- D(("out of bits in huffman decode")) \
+ D(("out of bits in huffman decode\n")) \
return INF_ERR_HUFFSYM; \
} \
/* double node index and add 0 (left branch) or 1 (right) */ \
@@ -285,7 +285,7 @@
case 16: READ_BITS(run, 2); run += 3; code = last_code; break;
case 17: READ_BITS(run, 3); run += 3; code = 0; break;
case 18: READ_BITS(run, 7); run += 11; code = 0; break;
- default: D(("bad code!: %u", code)) return INF_ERR_BADBITLEN;
+ default: D(("bad code!: %u\n", code)) return INF_ERR_BADBITLEN;
}
if ((i + run) > (lit_codes + dist_codes)) return INF_ERR_BITOVERRUN;
while (run--) lens[i++] = code;
@@ -324,7 +324,7 @@
/* read in block type */
READ_BITS(block_type, 2);
- D(("block_type=%u last_block=%u", block_type, last_block))
+ D(("block_type=%u last_block=%u\n", block_type, last_block))
if (block_type == 0) {
/* uncompressed block */
@@ -514,7 +514,7 @@
{
zip->bytes_output += data_flushed;
if (zip->bytes_output > MSZIP_FRAME_SIZE) {
- D(("overflow: %u bytes flushed, total is now %u",
+ D(("overflow: %u bytes flushed, total is now %u\n",
data_flushed, zip->bytes_output))
return 1;
}
@@ -605,7 +605,7 @@
zip->bytes_output = 0;
STORE_BITS;
if ((error = inflate(zip))) {
- D(("inflate error %d", i))
+ D(("inflate error %d\n", i))
if (zip->repair_mode) {
zip->sys->message(NULL, "MSZIP error, %u bytes of data lost.",
MSZIP_FRAME_SIZE - zip->bytes_output);
@@ -636,7 +636,7 @@
}
if (out_bytes) {
- D(("bytes left to output"))
+ D(("bytes left to output\n"))
return zip->error = MSPACK_ERR_DECRUNCH;
}
return MSPACK_ERR_OK;
Index: qtmd.c
===================================================================
RCS file: /cvsroot/clamav/clamav-devel/libclamav/mspack/qtmd.c,v
retrieving revision 1.2
diff -u -r1.2 qtmd.c
--- qtmd.c 24 Jun 2005 12:30:46 -0000 1.2
+++ qtmd.c 21 Jul 2005 09:00:02 -0000
@@ -409,7 +409,7 @@
/* j = length from match offset to end of window */
j = match_offset - window_posn;
if (j > (int) qtm->window_size) {
- D(("match offset beyond window boundaries"))
+ D(("match offset beyond window boundaries\n"))
return qtm->error = MSPACK_ERR_DECRUNCH;
}
runsrc = &window[qtm->window_size - j];
@@ -433,7 +433,7 @@
/* another frame completed? */
if ((window_posn - frame_start) >= QTM_FRAME_SIZE) {
if ((window_posn - frame_start) != QTM_FRAME_SIZE) {
- D(("overshot frame alignment"))
+ D(("overshot frame alignment\n"))
return qtm->error = MSPACK_ERR_DECRUNCH;
}
Index: system.h
===================================================================
RCS file: /cvsroot/clamav/clamav-devel/libclamav/mspack/system.h,v
retrieving revision 1.2
diff -u -r1.2 system.h
--- system.h 20 Jul 2005 01:55:58 -0000 1.2
+++ system.h 21 Jul 2005 09:00:02 -0000
@@ -13,7 +13,7 @@
#ifdef DEBUG
# include <stdio.h>
# define D(x) do { printf("%s:%d (%s) ",__FILE__, __LINE__, __FUNCTION__); \
- printf x ; fputc('\n', stdout); fflush(stdout);} while (0);
+ printf x; } while (0);
#else
# define D(x) cli_dbgmsg x ;
#endif
LibClamAV debug: Loading databases from /var/db/clamav
LibClamAV debug: Loading /var/db/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = df80bc7c18d325ed710c110d4a5a045b
LibClamAV debug: Decoded signature: df80bc7c18d325ed710c110d4a5a045b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/COPYING
LibClamAV debug: Unpacking
/tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/daily.db
LibClamAV debug: Unpacking
/tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/daily.hdb
LibClamAV debug: Unpacking
/tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/daily.ndb
LibClamAV debug: Loading databases from
/tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f
LibClamAV debug: Loading /tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/daily.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading /tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/daily.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading /tmp//clamav-d3ef36d73916573878bf9d49b10e6c3f/daily.ndb
LibClamAV debug: Loading /var/db/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 7c497735a7e1a3e15dde75832bef48f3
LibClamAV debug: Decoded signature: 7c497735a7e1a3e15dde75832bef48f3
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp//clamav-e3587334453409aafdcba2dd8da41e18/COPYING
LibClamAV debug: Unpacking /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.db
LibClamAV debug: Unpacking
/tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.hdb
LibClamAV debug: Unpacking
/tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.ndb
LibClamAV debug: Unpacking
/tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.zmd
LibClamAV debug: Unpacking /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.fp
LibClamAV debug: Loading databases from
/tmp//clamav-e3587334453409aafdcba2dd8da41e18
LibClamAV debug: Loading /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.db
LibClamAV debug: Loading /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.hdb
LibClamAV debug: Loading /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.ndb
LibClamAV debug: Loading /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.zmd
LibClamAV debug: Loading /tmp//clamav-e3587334453409aafdcba2dd8da41e18/main.fp
LibClamAV debug: Recognized MS CAB file
LibClamAV debug: in cli_scanmscab()
LibClamAV debug: libmspack: WARNING; possible 4104 extra bytes at end of file.
LibClamAV debug: MSCAB: Extracting data to
/tmp//clamav-7cf00566ea3a8642b59fabbb3efca44d
LibClamAV debug: block_type=1 last_block=1
LibClamAV debug: inflate error 75
LibClamAV debug: MSCAB: libmscab error code: 8
LibClamAV debug: MSCAB: Extracting data to
/tmp//clamav-a4e121a915c48370116255d96bf8b551
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: inflate error 75
LibClamAV debug: MSCAB: libmscab error code: 8
LibClamAV debug: MSCAB: Extracting data to
/tmp//clamav-5937d1261e0e1c302df55c3ed251ac57
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: inflate error 75
LibClamAV debug: MSCAB: libmscab error code: 8
LibClamAV debug: MSCAB: Extracting data to
/tmp//clamav-e8cdbd420c5fcebb24246a6ee20af2e9
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=0
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: inflate error 75
LibClamAV debug: MSCAB: libmscab error code: 8
LibClamAV debug: MSCAB: Extracting data to
/tmp//clamav-6c3d56bfbad0a2f67ca6138fd8aea547
LibClamAV debug: block_type=2 last_block=1
LibClamAV debug: inflate error 75
LibClamAV debug: MSCAB: libmscab error code: 8
LibClamAV debug: Calculated MD5 checksum: 71915ebc4bc1ee5988d85a036a933548
FA-CAB-i98_ver11.cab: OK
----------- SCAN SUMMARY -----------
Known viruses: 36509
Engine version: devel-20050721
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.68 MB
Time: 3.276 sec (0 m 3 s)
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
