Fixed heap buffer overflow while loading signatures

There is a possible overflow read when loading PDB and WDB phishing
signatures.

This issue is not a vulnerability.

Changed const char pointers to uint8_t pointers when they are to be used
with data, as well as removing asserts and adding additional error
checking.

Thank you Michał Dardas for reporting this issue.

Author: ragusaa

libclamav/matcher-ac.c

@@ -641,10 +641,34 @@ static void ac_free_special(struct cli_ac_patt *p)
     MPOOL_FREE(mempool, p->special_table);
 }
 
+/*Find all duplicate pointers and zero them so that we won't get double-free
+ * errors when we iterate over the cli_matcher to free all the trans
+ * pointers.*/
+static void zero_duplicate_trans_nodes(struct cli_matcher *root, const size_t idx)
+{
+    size_t j;
+    for (j = 0; j < root->ac_nodes; j++) {
+        if (j == idx) {
+            continue;
+        }
+        if (NULL == root->ac_nodetable[j]) {
+            continue;
+        }
+        if (root->ac_nodetable[idx]->trans == root->ac_nodetable[j]->trans) {
+            root->ac_nodetable[j]->trans = NULL;
+        }
+    }
+    if (root->ac_root) {
+        if (root->ac_nodetable[idx]->trans == root->ac_root->trans) {
+            root->ac_root->trans = NULL;
+        }
+    }
+}
+
 void cli_ac_free(struct cli_matcher *root)
 {
-    uint32_t i;
-    struct cli_ac_patt *patt;
+    uint32_t i               = 0;
+    struct cli_ac_patt *patt = NULL;
 
     for (i = 0; i < root->ac_patterns; i++) {
         patt = root->ac_pattable[i];
@@ -671,7 +695,9 @@ void cli_ac_free(struct cli_matcher *root)
         if (!IS_LEAF(root->ac_nodetable[i]) &&
             root->ac_nodetable[i]->fail &&
             root->ac_nodetable[i]->trans != root->ac_nodetable[i]->fail->trans) {
+            zero_duplicate_trans_nodes(root, i);
             MPOOL_FREE(root->mempool, root->ac_nodetable[i]->trans);
+            root->ac_nodetable[i]->trans = NULL;
         }
     }
 
@@ -681,8 +707,18 @@ void cli_ac_free(struct cli_matcher *root)
     if (root->ac_listtable)
         MPOOL_FREE(root->mempool, root->ac_listtable);
 
-    for (i = 0; i < root->ac_nodes; i++)
+    for (i = 0; i < root->ac_nodes; i++) {
+        if (NULL == root->ac_nodetable[i]) {
+            continue;
+        }
+        if (!IS_LEAF(root->ac_nodetable[i])) {
+            zero_duplicate_trans_nodes(root, i);
+            MPOOL_FREE(root->mempool, root->ac_nodetable[i]->trans);
+            root->ac_nodetable[i]->trans = NULL;
+        }
         MPOOL_FREE(root->mempool, root->ac_nodetable[i]);
+        root->ac_nodetable[i] = NULL;
+    }
 
     if (root->ac_nodetable)
         MPOOL_FREE(root->mempool, root->ac_nodetable);

libclamav/others.h

@@ -1177,6 +1177,19 @@ uint8_t cli_set_debug_flag(uint8_t debug_flag);
     } while (0)
 #endif
 
+#ifndef CLI_STRDUP
+#define CLI_STRDUP(buf, var, ...) \
+    do {                          \
+        var = cli_strdup(buf);    \
+        if (NULL == var) {        \
+            do {                  \
+                __VA_ARGS__;      \
+            } while (0);          \
+            goto done;            \
+        }                         \
+    } while (0)
+#endif
+
 #ifndef FREE
 #define FREE(var)          \
     do {                   \
@@ -1251,4 +1264,29 @@ uint8_t cli_set_debug_flag(uint8_t debug_flag);
     } while (0)
 #endif
 
+/**
+ * @brief Wrapper around realloc that limits how much may be allocated to CLI_MAX_ALLOCATION.
+ *
+ * IMPORTANT: This differs from realloc() in that if size==0, it will NOT free the ptr.
+ *
+ * NOTE: cli_realloc() will NOT free ptr if size==0. It is safe to free ptr after `done:`.
+ *
+ * @param ptr
+ * @param size
+ * @return void*
+ */
+#ifndef CLI_REALLOC
+#define CLI_REALLOC(ptr, size, ...)          \
+    do {                                     \
+        void *vTmp = cli_realloc(ptr, size); \
+        if (NULL == vTmp) {                  \
+            do {                             \
+                __VA_ARGS__;                 \
+            } while (0);                     \
+            goto done;                       \
+        }                                    \
+        ptr = vTmp;                          \
+    } while (0)
+#endif
+
 #endif