Fixed heap buffer overflow while loading signatures

There is a possible overflow read when loading PDB and WDB phishing
signatures.

This issue is not a vulnerability.

Changed const char pointers to uint8_t pointers when they are to be used
with data, as well as removing asserts and adding additional error
checking.

Thank you Michał Dardas for reporting this issue.

Author: ragusaa

libclamav/matcher-ac.c

@@ -641,10 +641,36 @@ static void ac_free_special(struct cli_ac_patt *p)
     MPOOL_FREE(mempool, p->special_table);
 }
 
+/*
+ * This is a test to see if we have already seen this pointer.  If we have, we
+ * have already freed it, so don't do it again (double-free)
+ */
+static int need_to_free(struct cli_matcher *root, const size_t idx)
+{
+    size_t j;
+    size_t min = idx;
+    if (root->ac_nodes < idx) {
+        /*Should never happen, but check just to be safe.*/
+        min = root->ac_nodes;
+    }
+
+    for (j = 0; j < min; j++) {
+        if (NULL == root->ac_nodetable[j]) {
+            continue;
+        }
+
+        if (root->ac_nodetable[idx]->trans == root->ac_nodetable[j]->trans) {
+            return 0;
+        }
+    }
+
+    return 1;
+}
+
 void cli_ac_free(struct cli_matcher *root)
 {
-    uint32_t i;
-    struct cli_ac_patt *patt;
+    uint32_t i               = 0;
+    struct cli_ac_patt *patt = NULL;
 
     for (i = 0; i < root->ac_patterns; i++) {
         patt = root->ac_pattable[i];
@@ -669,9 +695,11 @@ void cli_ac_free(struct cli_matcher *root)
     /* Freeing trans nodes must be done before freeing table nodes! */
     for (i = 0; i < root->ac_nodes; i++) {
         if (!IS_LEAF(root->ac_nodetable[i]) &&
-            root->ac_nodetable[i]->fail &&
-            root->ac_nodetable[i]->trans != root->ac_nodetable[i]->fail->trans) {
-            MPOOL_FREE(root->mempool, root->ac_nodetable[i]->trans);
+            root->ac_root->trans != root->ac_nodetable[i]->trans) {
+
+            if (need_to_free(root, i)) {
+                MPOOL_FREE(root->mempool, root->ac_nodetable[i]->trans);
+            }
         }
     }
 
@@ -681,19 +709,22 @@ void cli_ac_free(struct cli_matcher *root)
     if (root->ac_listtable)
         MPOOL_FREE(root->mempool, root->ac_listtable);
 
-    for (i = 0; i < root->ac_nodes; i++)
+    for (i = 0; i < root->ac_nodes; i++) {
         MPOOL_FREE(root->mempool, root->ac_nodetable[i]);
+    }
 
-    if (root->ac_nodetable)
+    if (root->ac_nodetable) {
         MPOOL_FREE(root->mempool, root->ac_nodetable);
+    }
 
     if (root->ac_root) {
         MPOOL_FREE(root->mempool, root->ac_root->trans);
         MPOOL_FREE(root->mempool, root->ac_root);
     }
 
-    if (root->filter)
+    if (root->filter) {
         MPOOL_FREE(root->mempool, root->filter);
+    }
 }
 
 /*

libclamav/others.h

@@ -1177,6 +1177,19 @@ uint8_t cli_set_debug_flag(uint8_t debug_flag);
     } while (0)
 #endif
 
+#ifndef CLI_STRDUP
+#define CLI_STRDUP(buf, var, ...) \
+    do {                          \
+        var = cli_strdup(buf);    \
+        if (NULL == var) {        \
+            do {                  \
+                __VA_ARGS__;      \
+            } while (0);          \
+            goto done;            \
+        }                         \
+    } while (0)
+#endif
+
 #ifndef FREE
 #define FREE(var)          \
     do {                   \
@@ -1251,4 +1264,29 @@ uint8_t cli_set_debug_flag(uint8_t debug_flag);
     } while (0)
 #endif
 
+/**
+ * @brief Wrapper around realloc that limits how much may be allocated to CLI_MAX_ALLOCATION.
+ *
+ * IMPORTANT: This differs from realloc() in that if size==0, it will NOT free the ptr.
+ *
+ * NOTE: cli_realloc() will NOT free ptr if size==0. It is safe to free ptr after `done:`.
+ *
+ * @param ptr
+ * @param size
+ * @return void*
+ */
+#ifndef CLI_REALLOC
+#define CLI_REALLOC(ptr, size, ...)          \
+    do {                                     \
+        void *vTmp = cli_realloc(ptr, size); \
+        if (NULL == vTmp) {                  \
+            do {                             \
+                __VA_ARGS__;                 \
+            } while (0);                     \
+            goto done;                       \
+        }                                    \
+        ptr = vTmp;                          \
+    } while (0)
+#endif
+
 #endif