On Mon, 5 Mar 2007 17:48:23 +0800
"alex" <[EMAIL PROTECTED]> wrote:
>
> I have read the source code of clamav 0.90 and found a bug in it's matching
> algorithm.
>
> To test it, I have made one sample file and two pattern files as follows:
>
> sample file:
> a.sam:
> 111 222 222 333
>
> a.db:
> pat_a=313131*323232{-5}333333
>
> b.db:
> 313131{-100}323232{-5}333333
>
> I scaned the sample file by these two patten files respectively, the
> pattern "b.db" detected the sample file, but the pattern "a.db" missed.
>
>
> I think the sample file should be detected too by the pattern files "a.db".
>
> To fix it, i modify the line 483 in matcher-ac.c to
> if (pt->maxdist) mdata->maxshift[pt->sigid - 1] = mdata->partoff[pt->sigid
> - 1][j] + pt->maxdist - curroff;
>
> Can anyone tell me this modification is right or not ?
It's not enough. If pt->maxdist == 0 then mdata->maxshift should be reset to
-1 to not depend on old values in next iterations. So the proper fix is:
if(pt->maxdist)
mdata->maxshift[pt->sigid - 1] = mdata->partoff[pt->sigid - 1][j] +
pt->maxdist - curroff;
else
mdata->maxshift[pt->sigid - 1] = -1;
--
oo ..... Tomasz Kojm <[EMAIL PROTECTED]>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Mar 8 23:21:47 CET 2007
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
