Skip to content

Commit

Permalink
Fix infinite loop when scanning some DMG archives
Browse files Browse the repository at this point in the history 
When decompressing a zlib stream, it's possible to reach end of stream
before running out of available bytes. In the DMG parser, this may cause
an infinite loop.

This commit adds a check for the condition where stream has ended before
running out of input.

Fixes: #925
  • Loading branch information
@micahsnyder
micahsnyder committed Aug 14, 2023
1 parent d0179cc commit 86d451c
Showing 1 changed file with 8 additions and 3 deletions.
11 changes: 8 additions & 3 deletions libclamav/hfsplus.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1256,9 +1256,9 @@ static cl_error_t hfsplus_walk_catalog(cli_ctx *ctx, hfsPlusVolumeHeader *volHea
stream.next_out = uncompressed;

while (stream.avail_in > 0) {
ret = inflate(&stream, Z_NO_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END) {
cli_dbgmsg("hfsplus_walk_catalog: Failed to extract (%d)\n", ret);
int z_ret = inflate(&stream, Z_NO_FLUSH);
if (z_ret != Z_OK && z_ret != Z_STREAM_END) {
cli_dbgmsg("hfsplus_walk_catalog: Failed to extract (%d)\n", z_ret);
ret = CL_EFORMAT;
break;
}
Expand All @@ -1271,6 +1271,11 @@ static cl_error_t hfsplus_walk_catalog(cli_ctx *ctx, hfsPlusVolumeHeader *volHea
written += sizeof(uncompressed) - stream.avail_out;
stream.avail_out = sizeof(uncompressed);
stream.next_out = uncompressed;

if (stream.avail_in > 0 && Z_STREAM_END == z_ret) {
cli_dbgmsg("hfsplus_walk_catalog: Reached end of stream even though there's still some available bytes left!\n");
break;
}
}
} else {
if (cli_writen(ofd, &block[streamBeginning ? 1 : 0], readLen - (streamBeginning ? 1 : 0)) != readLen - (streamBeginning ? 1 : 0)) {
Expand Down

0 comments on commit 86d451c

Please sign in to comment.