Cisco-Talos · val-ms · Apr 13, 2023 · Apr 7, 2023 · Apr 7, 2023 · Apr 7, 2023
diff --git a/clamav-milter/clamav-milter.c b/clamav-milter/clamav-milter.c
@@ -178,8 +178,8 @@ int main(int argc, char **argv)
         char myname[255];
 
         if (((opt = optget(opts, "ReportHostname"))->enabled &&
-             strncpy(myname, opt->strarg, sizeof(myname))) ||
-            !gethostname(myname, sizeof(myname))) {
+             strncpy(myname, opt->strarg, sizeof(myname) - 1)) ||
+            !gethostname(myname, sizeof(myname) - 1)) {
 
             myname[sizeof(myname) - 1] = '\0';
             snprintf(xvirushdr, sizeof(xvirushdr), "clamav-milter %s at %s",

diff --git a/clamav-milter/clamfi.c b/clamav-milter/clamfi.c
@@ -61,7 +61,7 @@ static sfsistat (*InfectedAction)(SMFICTX *ctx);
 static char *rejectfmt = NULL;
 
 int addxvirus = 0; /* 0 - don't add | 1 - replace | 2 - add */
-char xvirushdr[255];
+char xvirushdr[300];
 char *viraction = NULL;
 int multircpt   = 1;
 

diff --git a/clamav-milter/clamfi.h b/clamav-milter/clamfi.h
@@ -27,7 +27,7 @@
 
 extern uint64_t maxfilesize;
 extern int addxvirus;
-extern char xvirushdr[255];
+extern char xvirushdr[300];
 extern int multircpt;
 
 sfsistat clamfi_body(SMFICTX *ctx, unsigned char *bodyp, size_t len);

diff --git a/clamonacc/client/client.c b/clamonacc/client/client.c
@@ -406,7 +406,6 @@ cl_error_t onas_setup_client(struct onas_context **ctx)
 {
 
     const struct optstruct *opts;
-    const struct optstruct *opt;
     cl_error_t err;
     int remote;
 

diff --git a/examples/ex_cl_cvdunpack.c b/examples/ex_cl_cvdunpack.c
@@ -41,22 +41,12 @@
  */
 int main(int argc, char **argv)
 {
-    int fd;
     cl_error_t ret;
 
     const char *filename;
     const char *destination_directory;
     bool dont_verify = false;
 
-    char dest_buff[1024];
-
-    unsigned long int size = 0;
-    unsigned int sigs      = 0;
-    long double mb;
-    const char *virname;
-    struct cl_engine *engine;
-    struct cl_scan_options options;
-
     switch (argc) {
         case 2:
             filename              = argv[1];

diff --git a/examples/ex_file_inspection_callback.c b/examples/ex_file_inspection_callback.c
@@ -94,6 +94,9 @@ cl_error_t post_callback(
     const char *virname,
     void *context) // Could be used to retrieve / store contextual information for app
 {
+    (void)fd;
+    (void)context;
+
     printf("result:             %d\n", result);
     printf("virname:            %s\n", virname);
     printf("\n\n");
@@ -120,7 +123,7 @@ int main(int argc, char **argv)
     long double mb;
     const char *virname;
     const char *filename;
-    struct cl_engine *engine;
+    struct cl_engine *engine = NULL;
     struct cl_scan_options options;
     char database_filepath[256];
     bool created_database = false;

diff --git a/examples/ex_prescan_callback.c b/examples/ex_prescan_callback.c
@@ -76,7 +76,7 @@ int main(int argc, char **argv)
     long double mb;
     const char *virname;
     const char *filename;
-    struct cl_engine *engine;
+    struct cl_engine *engine = NULL;
     struct cl_scan_options options;
 
     if (argc != 2) {

diff --git a/libclamav/bytecode_api.c b/libclamav/bytecode_api.c
@@ -2315,7 +2315,7 @@ int32_t cli_bcapi_json_get_string(struct cli_bc_ctx *ctx, int8_t *str, int32_t s
         return str_len;
     } else {
         /* limit on len+1 */
-        strncpy((char *)str, jstr, len);
+        memcpy((char *)str, jstr, len);
         str[len] = '\0';
         return len + 1;
     }

diff --git a/libclamav/bytecode_vm.c b/libclamav/bytecode_vm.c
@@ -388,6 +388,8 @@ static always_inline struct stack_entry *pop_stack(struct stack *stack,
         READ1(op1, BINOP(1));                               \
         sop0 = op0;                                         \
         sop1 = op1;                                         \
+        (void)sop0;                                         \
+        (void)sop1;                                         \
         OP;                                                 \
         W0(inst->dest, res);                                \
         break;                                              \
@@ -399,6 +401,8 @@ static always_inline struct stack_entry *pop_stack(struct stack *stack,
         READ8(op1, BINOP(1));                               \
         sop0 = op0;                                         \
         sop1 = op1;                                         \
+        (void)sop0;                                         \
+        (void)sop1;                                         \
         OP;                                                 \
         W1(inst->dest, res);                                \
         break;                                              \
@@ -410,6 +414,8 @@ static always_inline struct stack_entry *pop_stack(struct stack *stack,
         READ16(op1, BINOP(1));                              \
         sop0 = op0;                                         \
         sop1 = op1;                                         \
+        (void)sop0;                                         \
+        (void)sop1;                                         \
         OP;                                                 \
         W2(inst->dest, res);                                \
         break;                                              \
@@ -421,6 +427,8 @@ static always_inline struct stack_entry *pop_stack(struct stack *stack,
         READ32(op1, BINOP(1));                              \
         sop0 = op0;                                         \
         sop1 = op1;                                         \
+        (void)sop0;                                         \
+        (void)sop1;                                         \
         OP;                                                 \
         W3(inst->dest, res);                                \
         break;                                              \
@@ -432,6 +440,8 @@ static always_inline struct stack_entry *pop_stack(struct stack *stack,
         READ64(op1, BINOP(1));                              \
         sop0 = op0;                                         \
         sop1 = op1;                                         \
+        (void)sop0;                                         \
+        (void)sop1;                                         \
         OP;                                                 \
         W4(inst->dest, res);                                \
         break;                                              \
@@ -534,6 +544,24 @@ static always_inline struct stack_entry *pop_stack(struct stack *stack,
         break;                                                                    \
     }
 
+#define DEFINE_OP_BC_RET_VOID(OP, T)                                              \
+    case OP: {                                                                    \
+        operand_t ret;                                                            \
+        CHECK_GT(stack_depth, 0);                                                 \
+        stack_depth--;                                                            \
+        stack_entry = pop_stack(&stack, stack_entry, &func, &ret, &bb,            \
+                                &bb_inst);                                        \
+        values      = stack_entry ? stack_entry->values : ctx->values;            \
+        CHECK_GT(func->numBytes, ret);                                            \
+        if (!bb) {                                                                \
+            stop = CL_BREAK;                                                      \
+            continue;                                                             \
+        }                                                                         \
+        stackid = ptr_register_stack(&ptrinfos, values, 0, func->numBytes) >> 32; \
+        inst    = &bb->insts[bb_inst];                                            \
+        break;                                                                    \
+    }
+
 struct ptr_info {
     uint8_t *base;
     uint32_t size;
@@ -797,11 +825,11 @@ cl_error_t cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const
             DEFINE_OP_BC_RET_N(OP_BC_RET * 5 + 3, uint32_t, READ32, WRITE32);
             DEFINE_OP_BC_RET_N(OP_BC_RET * 5 + 4, uint64_t, READ64, WRITE64);
 
-            DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5, uint8_t, (void), (void));
-            DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5 + 1, uint8_t, (void), (void));
-            DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5 + 2, uint8_t, (void), (void));
-            DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5 + 3, uint8_t, (void), (void));
-            DEFINE_OP_BC_RET_N(OP_BC_RET_VOID * 5 + 4, uint8_t, (void), (void));
+            DEFINE_OP_BC_RET_VOID(OP_BC_RET_VOID * 5, uint8_t);
+            DEFINE_OP_BC_RET_VOID(OP_BC_RET_VOID * 5 + 1, uint8_t);
+            DEFINE_OP_BC_RET_VOID(OP_BC_RET_VOID * 5 + 2, uint8_t);
+            DEFINE_OP_BC_RET_VOID(OP_BC_RET_VOID * 5 + 3, uint8_t);
+            DEFINE_OP_BC_RET_VOID(OP_BC_RET_VOID * 5 + 4, uint8_t);
 
             DEFINE_ICMPOP(OP_BC_ICMP_EQ, res = (op0 == op1));
             DEFINE_ICMPOP(OP_BC_ICMP_NE, res = (op0 != op1));

diff --git a/libclamav/crtmgr.c b/libclamav/crtmgr.c
@@ -394,11 +394,11 @@ static cl_error_t crtmgr_get_recov_data(BIGNUM *sig, cli_crt *x509,
                                         uint8_t **buffer, uint8_t **payload,
                                         int *payload_len)
 {
-    BN_CTX *bnctx;
+    BN_CTX *bnctx = NULL;
     int pad_size;
     int keylen;
-    uint8_t *d;
-    BIGNUM *x;
+    uint8_t *d = NULL;
+    BIGNUM *x = NULL;
     cl_error_t ret;
 
     *buffer      = NULL;

diff --git a/libclamav/disasm.c b/libclamav/disasm.c
@@ -1316,9 +1316,11 @@ static const uint8_t *disasm_x86(const uint8_t *command, unsigned int len, struc
                     switch (x87_st[table][rm].args) {
                         case X87_S:
                             reversed = 1;
+                            /* fall-through */
                         case X87_R:
                             s->args[reversed ^ 1].access = ACCESS_REG;
                             s->args[reversed ^ 1].reg    = X86_REG_ST0;
+                            /* fall-through */
                         case X87_ONE:
                             s->args[reversed].access = ACCESS_REG;
                             s->args[reversed].reg    = X86_REG_ST0 + (rm & 7);
@@ -1403,11 +1405,13 @@ static const uint8_t *disasm_x86(const uint8_t *command, unsigned int len, struc
                     case ADDR_REG_SS:
                     case ADDR_REG_DS:
                         assert(x86ops[table][s->table_op].dsize == SIZE_WORD);
+                        /* fall-through */
                     case ADDR_REG_ESP:
                     case ADDR_REG_EBP:
                     case ADDR_REG_ESI:
                     case ADDR_REG_EDI:
                         assert(x86ops[table][s->table_op].dsize != SIZE_BYTE && x86ops[table][s->table_op].dsize != SIZE_BYTEH);
+                        /* fall-through */
                     case ADDR_REG_EAX:
                     case ADDR_REG_ECX:
                     case ADDR_REG_EDX:
@@ -1453,6 +1457,7 @@ static const uint8_t *disasm_x86(const uint8_t *command, unsigned int len, struc
                     case ADDR_MRM_GEN_CR:
                     case ADDR_MRM_GEN_DR:
                         reversed = 1;
+                        /* fall-through */
 
                     case ADDR_MRM_GEN_EG:
                     case ADDR_MRM_GEN_ES:
@@ -1500,8 +1505,10 @@ static const uint8_t *disasm_x86(const uint8_t *command, unsigned int len, struc
                                 break;
                             case SIZE_WD:
                                 s->args[reversed].size += (s->opsize == 0);
+                                /* fall-through */
                             case SIZE_WORD:
                                 s->args[reversed].size++;
+                                /* fall-through */
                             case SIZE_BYTE:
                                 break;
                             default:
@@ -1743,6 +1750,7 @@ const uint8_t *cli_disasm_one(const uint8_t *buff, unsigned int len,
                 break;
             case ACCESS_REG:
                 w->arg[i][1] = s.args[i].reg;
+                /* fall-through */
             default:
                 cli_writeint32(&w->arg[i][2], s.args[i].arg.q);
                 cli_writeint32(&w->arg[i][6], s.args[i].arg.q >> 32);

diff --git a/libclamav/dsig.c b/libclamav/dsig.c
@@ -86,7 +86,7 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
     int i, slen = strlen(sig), dec;
     unsigned char *plain = NULL, *ret_sig = NULL;
     BIGNUM *r = NULL, *p = NULL, *c = NULL;
-    BN_CTX *bn_ctx;
+    BN_CTX *bn_ctx = NULL;
     unsigned int bn_bytes;
     ;
 
@@ -331,7 +331,8 @@ cl_error_t cli_versig(const char *md5, const char *dsig)
 #define BLK_LEN (PAD_LEN - HASH_LEN - 1)
 int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n_str, const char *e_str)
 {
-    unsigned char *decoded, digest1[HASH_LEN], digest2[HASH_LEN], digest3[HASH_LEN], *salt;
+    unsigned char *decoded = NULL;
+    unsigned char digest1[HASH_LEN], digest2[HASH_LEN], digest3[HASH_LEN], *salt;
     unsigned char mask[BLK_LEN], data[BLK_LEN], final[8 + 2 * HASH_LEN], c[4];
     unsigned int i, rounds;
     void *ctx;
@@ -360,8 +361,8 @@ int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n
     }
 
     if (decoded[PAD_LEN - 1] != 0xbc) {
-        free(decoded);
         ret = CL_EVERIFY;
+        goto done;
     }
     BN_free(n);
     BN_free(e);
@@ -372,6 +373,7 @@ int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n
     memcpy(mask, decoded, BLK_LEN);
     memcpy(digest2, &decoded[BLK_LEN], HASH_LEN);
     free(decoded);
+    decoded = NULL;
 
     c[0] = c[1] = 0;
     rounds      = (BLK_LEN + HASH_LEN - 1) / HASH_LEN;
@@ -417,6 +419,7 @@ int cli_versig2(const unsigned char *sha256, const char *dsig_str, const char *n
     return memcmp(digest1, digest2, HASH_LEN) ? CL_EVERIFY : CL_SUCCESS;
 
 done:
+    free(decoded);
     BN_free(n);
     BN_free(e);
     return ret;

diff --git a/libclamav/explode.c b/libclamav/explode.c
@@ -198,8 +198,8 @@ int explode_init(struct xplstate *X, uint16_t flags)
         }                                                                 \
     }
 
-#define GETCODES(CASE, WHICH, HOWMANY)                                        \
-    case CASE: {                                                              \
+#define GETCODES(WHICH, HOWMANY)                                              \
+    {                                                                         \
         if (!X->avail_in) return EXPLODE_EBUFF;                               \
         if (!X->got)                                                          \
             need = *X->next_in;                                               \
@@ -227,6 +227,7 @@ int explode_init(struct xplstate *X, uint16_t flags)
 
 #define SETCASE(CASE)         \
     X->state = (CASE);        \
+    /* fall-through */        \
     case (CASE): { /* FAKE */ \
     }
 
@@ -236,14 +237,19 @@ int explode(struct xplstate *X)
     int temp = -1;
 
     switch (X->state) {
-        /* grab compressed coded literals, if present */
-        GETCODES(GRABLITS, lit_tree, 256);
-        /* grab compressed coded lens */
-        GETCODES(GRABLENS, len_tree, 64);
-        /* grab compressed coded dists */
-        GETCODES(GRABDISTS, dist_tree, 64);
+        case GRABLITS: { /* grab compressed coded literals, if present */
+            GETCODES(lit_tree, 256);
+        } /* fall-through */
 
-        case EXPLODE:
+        case GRABLENS: { /* grab compressed coded lens */
+            GETCODES(len_tree, 64);
+        } /* fall-through */
+
+        case GRABDISTS: { /* grab compressed coded dists */
+            GETCODES(dist_tree, 64);
+        } /* fall-through */
+
+        case EXPLODE: {
             while (X->avail_in || X->bits) {
                 GETBIT; /* can't fail */
                 if (val) {
@@ -315,6 +321,7 @@ int explode(struct xplstate *X)
                 }
                 X->state = EXPLODE;
             }
+        }
     }
     return EXPLODE_EBUFF;
 }

diff --git a/libclamav/filtering.c b/libclamav/filtering.c
@@ -210,7 +210,7 @@ int filter_add_static(struct filter *m, const unsigned char *pattern, unsigned l
     for (j = 0; (best < 100 && j < MAX_CHOICES) || (j < maxlen); j++) {
         uint32_t num = MAXSOPATLEN;
         uint8_t k;
-        if (j + 2 > len)
+        if ((unsigned long)(j + 2) > len)
             break;
         for (k = j; k < len - 1 && (k - j < MAXSOPATLEN); k++) {
             q = cli_readint16(&pattern[k]);
@@ -323,7 +323,7 @@ enum badness {
 };
 static inline void get_score(enum badness badness, unsigned i, const struct filter *m, const struct char_spec *spec0, const struct char_spec *spec1, int32_t *score, int32_t *score_end)
 {
-    int32_t base;
+    int32_t base = 0;
     unsigned k0, k1, num_introduced = 0, num_end_introduced = 0;
     switch (badness) {
         case reject:

diff --git a/libclamav/hwp.c b/libclamav/hwp.c
@@ -1525,7 +1525,7 @@ static inline cl_error_t parsehwp3_infoblk_1(cli_ctx *ctx, fmap_t *dmap, size_t
     char field[HWP3_FIELD_LENGTH];
 #endif
 #if HAVE_JSON
-    json_object *infoblk_1, *contents, *counter, *entry;
+    json_object *infoblk_1, *contents = NULL, *counter, *entry = NULL;
 #endif
 
     hwp3_debug("HWP3.x: Information Block @ offset %llu\n", infoloc);
@@ -1757,7 +1757,7 @@ static cl_error_t hwp3_cb(void *cbdata, int fd, const char *filepath, cli_ctx *c
     int i, p = 0, last = 0;
     uint16_t nstyles;
 #if HAVE_JSON
-    json_object *fonts;
+    json_object *fonts = NULL;
 #endif
 
     UNUSEDPARAM(filepath);