[Pkg-clamav-devel] Bug#773318: Bug#773041: Bug#773318: clamav dies/hangs

[Andreas Cadhalpun]

Hi,

On 22.12.2014 22:52, Sebastian Andrzej Siewior wrote:
> On 2014-12-22 02:52:02 [+0100], Marc Dequènes (duck) wrote:
>> I can upload this simple fix quickly, nevertheless i did not have time to
>> proofread it. Any comment?
>
> I plan to add the following patch to clamav. I added a small comment
> why we have the busy loop there. So far it looks like a good idea. The
> only problem is that we need off_t beeing 64bit (LFS) or it won't work
> on 32bit. No problem on Debian side…

I think there is a better way than changing the type of frame_end to off_t.
It is possible to avoid the overflow by reordering the code:

--- libmspack-0.4.orig/mspack/qtmd.c
+++ libmspack-0.4/mspack/qtmd.c
@@ -296,10 +296,12 @@ int qtmd_decompress(struct qtmd_stream *

      /* decode more, up to the number of bytes needed, the frame boundary,
       * or the window boundary, whichever comes first */
-    frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
-    if ((window_posn + frame_todo) < frame_end) {
+    if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
        frame_end = window_posn + frame_todo;
      }
+    else {
+      frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+    }
      if (frame_end > qtm->window_size) {
        frame_end = qtm->window_size;
      }

This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.

Merry Christmas,
Andreas