Skip to content

Commit 168f6e5

Browse files
val-msval-ms
committed
bb12262 - Fix to address potential use-after-free bug in scanner code relating to the filenames for nested files.
1 parent dd79cd7 commit 168f6e5

File tree

1 file changed

+22
-7
lines changed

1 file changed

+22
-7
lines changed

libclamav/scanners.c

+22-7
Original file line numberDiff line numberDiff line change
@@ -3489,10 +3489,15 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)
34893489
}
34903490
}
34913491

3492-
static int cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type)
3492+
static cl_error_t cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type)
34933493
{
34943494
STATBUF sb;
3495-
int ret;
3495+
cl_error_t status = CL_CLEAN;
3496+
cl_error_t ret = CL_CLEAN;
3497+
3498+
if (!ctx) {
3499+
return CL_EARG;
3500+
}
34963501

34973502
const char *parent_filepath = ctx->sub_filepath;
34983503
ctx->sub_filepath = filepath;
@@ -3504,11 +3509,17 @@ static int cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_f
35043509
cli_dbgmsg("in cli_magic_scandesc (reclevel: %u/%u)\n", ctx->recursion, ctx->engine->maxreclevel);
35053510
if (FSTAT(desc, &sb) == -1) {
35063511
cli_errmsg("magic_scandesc: Can't fstat descriptor %d\n", desc);
3507-
early_ret_from_magicscan(CL_ESTAT);
3512+
3513+
status = CL_ESTAT;
3514+
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
3515+
goto done;
35083516
}
35093517
if (sb.st_size <= 5) {
35103518
cli_dbgmsg("Small data (%u bytes)\n", (unsigned int)sb.st_size);
3511-
early_ret_from_magicscan(CL_CLEAN);
3519+
3520+
status = CL_CLEAN;
3521+
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
3522+
goto done;
35123523
}
35133524

35143525
ctx->fmap++;
@@ -3517,18 +3528,22 @@ static int cli_base_scandesc(int desc, const char *filepath, cli_ctx *ctx, cli_f
35173528
cli_errmsg("CRITICAL: fmap() failed\n");
35183529
ctx->fmap--;
35193530
perf_stop(ctx, PERFT_MAP);
3520-
early_ret_from_magicscan(CL_EMEM);
3531+
3532+
status = CL_EMEM;
3533+
cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
3534+
goto done;
35213535
}
35223536
perf_stop(ctx, PERFT_MAP);
35233537

3524-
ret = magic_scandesc(ctx, type);
3538+
status = magic_scandesc(ctx, type);
35253539

35263540
funmap(*ctx->fmap);
35273541
ctx->fmap--;
35283542

3543+
done:
35293544
ctx->sub_filepath = parent_filepath;
35303545

3531-
return ret;
3546+
return status;
35323547
}
35333548

35343549
int cli_magic_scandesc(int desc, const char *filepath, cli_ctx *ctx)

0 commit comments

Comments
 (0)