- added patch which fixes some classes of compiler warnings; at least the

using of implicitly declared functions was reported to cause segfaults on AMD64 (brought to my attention by Marc Perkel) - added patch which fixes wrong usage of strncpy(3) in unrarlib.c
2006-04-24 22:05:45 +00:00 · 2006-04-24 22:05:45 +00:00 · a4a6d252be
parent 1f384df090
commit a4a6d252be
3 changed files with 197 additions and 2 deletions
--- a/clamav-0.88.1-guys,please-read-the-compiler-warnings-before-doing-a-release.patch
+++ b/clamav-0.88.1-guys,please-read-the-compiler-warnings-before-doing-a-release.patch
@ -0,0 +1,157 @@
+2006-04-24  Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
+
+	* Guys, please read the compiler warnings before releasing a
+	  new version. The compiler is clever enough to warn you about
+	  issues like
+
+	  | encrypted = (zdirent.d_flags & 0x2041 != 0);
+
+	  with
+
+          | scanners.c:381: warning: suggest parentheses around comparison in operand of &
+
+
+	  Ditto about the usage of implicitly declared functions.
+
+	  Warnings about uninitialized variables shall be taken
+	  seriously too; this patch fixes one existing issue. The
+	  htmlnorm.c parser should be reviewed.
+
+
+	* this patch does not fix:
+
+	  - things like
+	    | ole2_extract.c:86: warning: 'packed' attribute ignored for field of type 'unsigned char[7u]'
+
+	    which are caused by
+
+	    struct foo {
+		char	a[2] __attribute__((__packed__));
+		char	b __attribute__((__packed__));
+	    };
+
+            which can/should be written as
+
+	    struct foo {
+		char	a[2];
+		char	b;
+	    }  __attribute__((__packed__));
+
+	  - signed/unsigned comparisions. This was really too much to
+	    get fixed now. It will require rewrite/review of the
+	    complete code to use 'size_t' instead of 'int' for sizes.
+
+	    Lot of bufferover- and underflows can be prevented by
+	    correct signess.
+
+	  - missing prototypes like
+
+	    | warning: no previous prototype for
+
+
+	  'clamav' is used to operate on hostile data so its source
+	  code should have a good quality. Building with a high warning
+	  level and removing reasons for such warnings is a cheap way
+	  to eliminate a huge part of potential problems.
+
+
+
+--- clamav-0.88.1/clamd/others.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2005-10-30 21:22:01.000000000 +0100
+++ clamav-0.88.1/clamd/others.c	2006-04-24 22:53:27.000000000 +0200
+@@ -30,6 +30,7 @@
+ #include <sys/stat.h>
+ #include <errno.h>
+ #include <sys/time.h>
+#include <sys/wait.h>
+ 
+ #if HAVE_SYS_PARAM_H
+ #include <sys/param.h>
+@@ -68,6 +69,7 @@
+ #include "memory.h"
+ #include "cfgparser.h"
+ #include "session.h"
+#include "../shared/output.h"
+ 
+ #define ENV_FILE  "CLAM_VIRUSEVENT_FILENAME"
+ #define ENV_VIRUS "CLAM_VIRUSEVENT_VIRUSNAME"
+--- clamav-0.88.1/shared/misc.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2005-12-23 22:25:10.000000000 +0100
+++ clamav-0.88.1/shared/misc.c	2006-04-24 22:53:27.000000000 +0200
+@@ -28,6 +28,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+#include <ctype.h>
+ 
+ #include "clamav.h"
+ #include "cfgparser.h"
+--- clamav-0.88.1/freshclam/manager.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2006-03-25 18:39:25.000000000 +0100
+++ clamav-0.88.1/freshclam/manager.c	2006-04-24 22:53:27.000000000 +0200
+@@ -50,6 +50,7 @@
+ #include "../libclamav/others.h"
+ #include "../libclamav/str.h" /* cli_strtok */
+ #include "dns.h"
+#include "execute.h"
+ 
+ 
+ int downloadmanager(const struct cfgstruct *copt, const struct optstruct *opt, const char *hostname)
+--- clamav-0.88.1/libclamav/zziplib/zzip-zip.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2006-03-28 01:43:53.000000000 +0200
+++ clamav-0.88.1/libclamav/zziplib/zzip-zip.c	2006-04-24 22:57:44.000000000 +0200
+@@ -16,6 +16,7 @@
+ #endif
+ 
+ #include "target.h"
+#include "others.h"
+ 
+ #include <zzip.h>                                  /* archive handling */
+ #include <zzip-file.h>
+--- clamav-0.88.1/libclamav/scanners.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2006-04-04 11:32:55.000000000 +0200
+++ clamav-0.88.1/libclamav/scanners.c	2006-04-24 22:53:27.000000000 +0200
+@@ -69,6 +69,7 @@ extern int cli_mbox(const char *dir, int
+ #include "untar.h"
+ #include "special.h"
+ #include "binhex.h"
+#include "../tnef.h"
+ 
+ #ifdef HAVE_ZLIB_H
+ #include <zlib.h>
+@@ -378,7 +379,7 @@ static int cli_scanzip(int desc, const c
+ 	 * Bit 6: Strong encryption was used
+ 	 * Bit 13: Encrypted central directory
+ 	 */
+-	encrypted = (zdirent.d_flags & 0x2041 != 0);
+	encrypted = (zdirent.d_flags & 0x2041) != 0;
+ 
+ 	cli_dbgmsg("Zip: %s, crc32: 0x%x, offset: %d, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n", zdirent.d_name, zdirent.d_crc32, zdirent.d_off, encrypted, zdirent.d_csize, zdirent.st_size, zdirent.d_compr, zdirent.d_csize ? (zdirent.st_size / zdirent.d_csize) : 0, limits ? limits->maxratio : 0);
+ 
+--- clamav-0.88.1/libclamav/pe.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2006-03-28 21:22:02.000000000 +0200
+++ clamav-0.88.1/libclamav/pe.c	2006-04-24 22:53:27.000000000 +0200
+@@ -1451,7 +1451,7 @@ int cli_peheader(int desc, struct cli_pe
+ {
+ 	uint16_t e_magic; /* DOS signature ("MZ") */
+ 	uint32_t e_lfanew; /* address of new exe header */
+-	uint32_t min, max;
+	uint32_t min=0, max=0;
+ 	struct pe_image_file_hdr file_hdr;
+ 	struct pe_image_optional_hdr optional_hdr;
+ 	struct pe_image_section_hdr *section_hdr;
+--- clamav-0.88.1/libclamav/htmlnorm.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2006-03-22 19:03:35.000000000 +0100
+++ clamav-0.88.1/libclamav/htmlnorm.c	2006-04-24 22:53:27.000000000 +0200
+@@ -391,7 +391,7 @@ static int cli_html_normalise(int fd, m_
+ {
+ 	int fd_tmp, tag_length, tag_arg_length, binary;
+ 	int retval=FALSE, escape, value, hex, tag_val_length, table_pos, in_script=FALSE;
+-	FILE *stream_in;
+	FILE *stream_in = 0;
+ 	html_state state=HTML_NORM, next_state=HTML_BAD_STATE;
+ 	char filename[1024], tag[HTML_STR_LENGTH+1], tag_arg[HTML_STR_LENGTH+1];
+ 	char tag_val[HTML_STR_LENGTH+1], *tmp_file;
+--- clamav-0.88.1/libclamav/special.c.guys,please-read-the-compiler-warnings-before-doing-a-release.patch	2005-06-23 22:03:13.000000000 +0200
+++ clamav-0.88.1/libclamav/special.c	2006-04-24 22:53:27.000000000 +0200
+@@ -25,6 +25,7 @@
+ #include <netinet/in.h>
+ #include <string.h>
+ 
+#include "special.h"
+ #include "clamav.h"
+ #include "others.h"
+ #include "cltypes.h"
--- a/clamav-0.88.1-strncpy.patch
+++ b/clamav-0.88.1-strncpy.patch
@ -0,0 +1,26 @@
+2006-04-24  Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
+
+	* libclamav/unrarlib.c/stricomp(): terminate the string copied
+	  with strncpy() explicitly with '\0'. Does not seem to be
+	  exploitable at the moment due to deeply buried constraints
+	  (function will be called for buffers with a static size of
+	  260 only).
+
+	  But it is better to fix it now than to run into problems
+	  when function is used for other purposes.
+
+--- clamav-0.88.1/libclamav/unrarlib.c.strncpy	2005-06-23 22:03:12.000000000 +0200
+++ clamav-0.88.1/libclamav/unrarlib.c	2006-04-24 23:10:07.000000000 +0200
+@@ -1180,8 +1180,10 @@ int stricomp(char *Str1,char *Str2)
+   char S1[512],S2[512];
+   char *chptr;
+ 
+-  strncpy(S1,Str1,sizeof(S1));
+-  strncpy(S2,Str2,sizeof(S2));
+  strncpy(S1,Str1,sizeof(S1));
+  strncpy(S2,Str2,sizeof(S2));
+  S1[sizeof(S1)-1] = '\0';
+  S2[sizeof(S2)-1] = '\0';
+ 
+   while((chptr = strchr(S1, '\\')) != NULL) /* ignore backslash             */
+   {
--- a/clamav.spec
+++ b/clamav.spec
@ -1,4 +1,4 @@
-## $Id: clamav.spec,v 1.32 2006/02/18 09:33:59 ensc Exp $
+## $Id: clamav.spec,v 1.33 2006/04/06 16:50:58 ensc Exp $

 ## This package understands the following switches:
 ## --without milter          ...  deactivate the -milter subpackage
@ -22,7 +22,7 @@
 Summary:	End-user tools for the Clam Antivirus scanner
 Name:		clamav
 Version:	0.88.1
-Release:	%release_func 1
+Release:	%release_func 2

 License:	GPL
 Group:		Applications/File
@ -36,6 +36,8 @@ Source5:	clamd-README
 Source6:	clamav-update.logrotate
 Source7:	clamd.SERVICE.init
 Source8:	clamav-notify-servers
+Patch0:		clamav-0.88.1-guys,please-read-the-compiler-warnings-before-doing-a-release.patch
+Patch1:		clamav-0.88.1-strncpy.patch
 Patch20:	clamav-0.70-user.patch
 Patch21:	clamav-0.70-path.patch
 Patch22:	clamav-0.80-initoff.patch
@ -162,6 +164,9 @@ THIS PACKAGE IS TO BE CONSIDERED AS EXPERIMENTAL!

 %prep
 %setup -q
+%patch0  -p1 -b '.guys,please-read-the-compiler-warnings-before-doing-a-release.patch'
+%patch1  -p1 -b .strncpy
+
 %patch20 -p1 -b .user
 %patch21 -p1 -b .path
 %patch22 -p1 -b .initoff
@ -186,6 +191,7 @@ perl -pi -e 's!^#(UpdateLogFile )!\1!g;' etc/freshclam.conf
 ## See https://bugzilla.redhat.com/beta/show_bug.cgi?id=131385 and
 ## http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797
 ## also
+CFLAGS="$RPM_OPT_FLAGS -Wall -W -W -Wmissing-prototypes -Wmissing-declarations -std=gnu99"
 %configure --disable-clamav --with-dbdir=/var/lib/clamav \
           --disable-zlib-vcheck \
 	   %{!?_without_milter:--enable-milter}
@ -426,6 +432,12 @@ test "$1"  = 0 || %{_initrddir}/clamav-milter condrestart >/dev/null || :
 %endif	# _without_milter

 %changelog
+* Mon Apr 24 2006 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> - 0.88.1-2
+- added patch which fixes some classes of compiler warnings; at least
+  the using of implicitly declared functions was reported to cause
+  segfaults on AMD64 (brought to my attention by Marc Perkel)
+- added patch which fixes wrong usage of strncpy(3) in unrarlib.c
+
 * Thu Apr 06 2006 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> - 0.88.1-1
 - updated to 0.88.1 (SECURITY)