Cisco-Talos · micahsnyder · Aug 17, 2023 · Aug 7, 2023 · Aug 7, 2023 · Aug 7, 2023
diff --git a/clamdtop/clamdtop.c b/clamdtop/clamdtop.c
@@ -205,12 +205,21 @@ static char *clamd_header       = NULL;
 static void resize(void)
 {
     char *p;
-    unsigned new_maxy, new_maxx;
+    int new_maxy, new_maxx;
+
     getmaxyx(stdscr, new_maxy, new_maxx);
-    if (new_maxy == maxy && new_maxx == maxx)
+    if (new_maxy == -1 || new_maxx == -1) {
+        fprintf(stderr, "Failed to get terminal size\n");
+        return;
+    }
+
+    if ((unsigned int)new_maxy == maxy && (unsigned int)new_maxx == maxx) {
+        // no change
         return;
-    maxx = new_maxx;
-    maxy = new_maxy;
+    }
+
+    maxx = (unsigned int)new_maxx;
+    maxy = (unsigned int)new_maxy;
     free(queue_header);
     free(clamd_header);
     queue_header = malloc(maxx + 1);

diff --git a/clamonacc/inotif/inotif.c b/clamonacc/inotif/inotif.c
@@ -138,12 +138,12 @@ static int onas_ddd_grow_wdlt(void)
 int onas_ddd_init(uint64_t nwatches, size_t ht_size)
 {
 
-    const char *nwatch_file = "/proc/sys/fs/inotify/max_user_watches";
-    int nwfd                = 0;
-    int ret                 = 0;
-    char nwatch_str[MAX_WATCH_LEN];
-    char *p  = NULL;
-    nwatches = 0;
+    const char *nwatch_file            = "/proc/sys/fs/inotify/max_user_watches";
+    int nwfd                           = 0;
+    int ret                            = 0;
+    char nwatch_str[MAX_WATCH_LEN + 1] = {0};
+    char *p                            = NULL;
+    nwatches                           = 0;
 
     nwfd = open(nwatch_file, O_RDONLY);
     if (nwfd < 0) return CL_EOPEN;

diff --git a/libclamav/aspack.c b/libclamav/aspack.c
@@ -286,7 +286,10 @@ static int decrypt(struct ASPK *stream, uint8_t *stuff, uint32_t size, uint8_t *
             if (!build_decrypt_dictionaries(stream)) return 0;
             continue;
         }
-        if ((backbytes = (gen - 256) >> 3) >= 58) return 0; /* checks init_array + stuff */
+        backbytes = (gen - 256) >> 3;
+        // backbytes is < 720. 719 - 256 = 463. 463 >> 3 = 57 (max).
+        // So backbytes cannot overrun the init_array.
+
         backsize = ((gen - 256) & 7) + 2;
         if ((backsize - 2) == 7) {
             uint8_t hlp;

diff --git a/libclamav/blob.c b/libclamav/blob.c
@@ -210,7 +210,7 @@ int blobAddData(blob *b, const unsigned char *data, size_t len)
 #if HAVE_CLI_GETPAGESIZE
     if (pagesize == 0) {
         pagesize = cli_getpagesize();
-        if (pagesize == 0)
+        if (pagesize <= 0)
             pagesize = 4096;
     }
     growth = pagesize;

diff --git a/libclamav/bytecode.c b/libclamav/bytecode.c
@@ -3056,8 +3056,8 @@ void cli_bytecode_describe(const struct cli_bc *bc)
     printf("Bytecode format functionality level: %u\n", bc->metadata.formatlevel);
     printf("Bytecode metadata:\n\tcompiler version: %s\n",
            bc->metadata.compiler ? bc->metadata.compiler : "N/A");
-    printf("\tcompiled on: (%d) %s",
-           (uint32_t)stamp,
+    printf("\tcompiled on: (" STDu64 ") %s",
+           (uint64_t)stamp,
            cli_ctime(&stamp, buf, sizeof(buf)));
     printf("\tcompiled by: %s\n", bc->metadata.sigmaker ? bc->metadata.sigmaker : "N/A");
     /*TODO: parse and display arch name, also take it into account when

diff --git a/libclamav/egg.c b/libclamav/egg.c
@@ -970,8 +970,6 @@ static void print_posix_info_mode(uint32_t mode)
         printf("p");
     } else if (mode & POSIX_INFO_MODE_SYM_LINK) {
         printf("l");
-    } else if (mode & POSIX_INFO_MODE_SOCKET) {
-        printf("s");
     }
     /* Owner/Group/Other permissions */
     if (mode & POSIX_INFO_MODE_PERM_OWNER_READ) {

diff --git a/libfreshclam/libfreshclam_internal.c b/libfreshclam/libfreshclam_internal.c
@@ -732,7 +732,10 @@ static fc_error_t create_curl_handle(
 #endif
 
     /* Authenticate using a client certificate and private key, if specified by the FRESHCLAM_CLIENT_CERT, FRESHCLAM_CLIENT_KEY, and FRESHCLAM_CLIENT_KEY_PASSWD environment variables. */
-    set_tls_client_certificate(curl);
+    if (CL_SUCCESS != set_tls_client_certificate(curl)) {
+        logg(LOGG_DEBUG, "create_curl_handle: Failed to set certificate and private key for client authentiation.\n");
+        goto done;
+    }
 
     *curlHandle = curl;
     status      = FC_SUCCESS;

diff --git a/sigtool/sigtool.c b/sigtool/sigtool.c
@@ -1073,7 +1073,7 @@ static int build(const struct optstruct *opts)
     strcat(header, builder);
 
     /* add current time */
-    sprintf(header + strlen(header), ":%u", (unsigned int)timet);
+    sprintf(header + strlen(header), ":" STDu64, (uint64_t)timet);
 
     if (writeinfo(dbname, builder, header, opts, dblist2, dblist2cnt) == -1) {
         mprintf(LOGG_ERROR, "build: Can't generate info file\n");
@@ -1177,7 +1177,7 @@ static int build(const struct optstruct *opts)
     strcat(header, builder);
 
     /* add current time */
-    sprintf(header + strlen(header), ":%u", (unsigned int)timet);
+    sprintf(header + strlen(header), ":" STDu64, (uint64_t)timet);
 
     /* fill up with spaces */
     while (strlen(header) < sizeof(header) - 1)