From 86d451c3d700c21ce3c23e182e20435bd490e0cd Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Thu, 18 May 2023 12:13:42 -0700 Subject: [PATCH] Fix infinite loop when scanning some DMG archives When decompressing a zlib stream, it's possible to reach end of stream before running out of available bytes. In the DMG parser, this may cause an infinite loop. This commit adds a check for the condition where stream has ended before running out of input. Fixes: https://github.com/Cisco-Talos/clamav/issues/925 --- libclamav/hfsplus.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libclamav/hfsplus.c b/libclamav/hfsplus.c index b2cae69747..1d15c4d99c 100644 --- a/libclamav/hfsplus.c +++ b/libclamav/hfsplus.c @@ -1256,9 +1256,9 @@ static cl_error_t hfsplus_walk_catalog(cli_ctx *ctx, hfsPlusVolumeHeader *volHea stream.next_out = uncompressed; while (stream.avail_in > 0) { - ret = inflate(&stream, Z_NO_FLUSH); - if (ret != Z_OK && ret != Z_STREAM_END) { - cli_dbgmsg("hfsplus_walk_catalog: Failed to extract (%d)\n", ret); + int z_ret = inflate(&stream, Z_NO_FLUSH); + if (z_ret != Z_OK && z_ret != Z_STREAM_END) { + cli_dbgmsg("hfsplus_walk_catalog: Failed to extract (%d)\n", z_ret); ret = CL_EFORMAT; break; } @@ -1271,6 +1271,11 @@ static cl_error_t hfsplus_walk_catalog(cli_ctx *ctx, hfsPlusVolumeHeader *volHea written += sizeof(uncompressed) - stream.avail_out; stream.avail_out = sizeof(uncompressed); stream.next_out = uncompressed; + + if (stream.avail_in > 0 && Z_STREAM_END == z_ret) { + cli_dbgmsg("hfsplus_walk_catalog: Reached end of stream even though there's still some available bytes left!\n"); + break; + } } } else { if (cli_writen(ofd, &block[streamBeginning ? 1 : 0], readLen - (streamBeginning ? 1 : 0)) != readLen - (streamBeginning ? 1 : 0)) {