CVE-2015-2222: clamav: crash on crafted petite packed file

[Sebastian Andrzej Siewior <cve-announce () ml breakpoint cc>]

Petite [0] is a tool for compressing PE files on windows.
Clamav [1] is a virus scanning tool which is able to unpack
such files during scanning.

Once the file has been identified as "petite" compressed before the
decompressing process is started it is possible that a specially crafted
file tells clamav to read more data than it allocated memory. On glibc it
leads to SIGABRT on free() since glibc's malloc() recognizes this.
A fix to this bug is part of the 0.98.7 release.

This is a different issue than the one reported in CVE-2015-1463.
This bug has been discovered by AFL [3], american fuzzy lop.

[0] http://www.un4seen.com/petite/
[1] http://www.clamav.net/
[2] https://github.com/vrtadmin/clamav-devel/commit/8aeedf3c4282bc916d6f6c290e1e530d125ec953
[3] http://lcamtuf.coredump.cx/afl/

Sebastian