[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#750846: wheezy-pu: package clamav/0.98.1+dfsg-1+deb7u3

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

This is a small, low risk change cherry-picked from upstream that fixes a
significant issue reported by a Debian Wheezy user.  We had intended to wait
for the final 0.98.4 release and just fix this with the next package update,
but that release has been unaccountably delayed, so I think it makes sense to
go ahead and fix this issue while we wait for upstream to get 0.98.4 out the
door.

diff -Nru clamav-0.98.1+dfsg/debian/changelog clamav-0.98.1+dfsg/debian/changelog
--- clamav-0.98.1+dfsg/debian/changelog	2014-05-31 21:00:42.000000000 +0200
+++ clamav-0.98.1+dfsg/debian/changelog	2014-05-31 21:00:43.000000000 +0200
@@ -1,3 +1,11 @@
+clamav (0.98.1+dfsg-1+deb7u4) stable; urgency=medium
+
+  * cherry pick upstream patches to fix a crash while using clamscan. Added
+    patches: c6f5ef98d ("bb #10970 - Force a filesize limit of UINT_MAX - 2")
+    and 99ee2138c ("Key off INT_MAX") (Closes: #749715).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 30 May 2014 20:46:42 +0200
+
 clamav (0.98.1+dfsg-1+deb7u3) stable; urgency=medium
 
   [ Sebastian Andrzej Siewior ]
diff -Nru clamav-0.98.1+dfsg/libclamav/scanners.c clamav-0.98.1+dfsg/libclamav/scanners.c
--- clamav-0.98.1+dfsg/libclamav/scanners.c	2014-01-13 18:02:34.000000000 +0100
+++ clamav-0.98.1+dfsg/libclamav/scanners.c	2014-05-31 21:00:43.000000000 +0200
@@ -3107,6 +3107,19 @@
 {
     cli_ctx ctx;
     int rc;
+    STATBUF sb;
+
+    /* We have a limit of around 2.17GB (INT_MAX - 2). Enforce it here. */
+    if (map != NULL) {
+        if ((size_t)(map->real_len) > (size_t)(INT_MAX - 2))
+            return CL_CLEAN;
+    } else {
+        if (FSTAT(desc, &sb))
+            return CL_ESTAT;
+
+        if ((size_t)(sb.st_size) > (size_t)(INT_MAX - 2))
+            return CL_CLEAN;
+    }
 
     memset(&ctx, '\0', sizeof(cli_ctx));
     ctx.engine = engine;
Reply to: