powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
646 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: b558cfd63a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b558cfd63a'
${ noResults }
base/SOURCES/file-5.11-CVE-2014-1943.patch

137 lines
5.0 KiB
Raw Blame History

diff --git a/src/ascmagic.c b/src/ascmagic.c
index 8d6ca95..cfa3951 100644
--- a/src/ascmagic.c
+++ b/src/ascmagic.c
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
== NULL)
goto done;
if ((rv = file_softmagic(ms, utf8_buf,
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
rv = -1;
}
diff --git a/src/file.h b/src/file.h
index 175f659..e02009f 100644
--- a/src/file.h
+++ b/src/file.h
@@ -414,7 +414,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
unichar **, size_t *, const char **, const char **, const char **);
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
- int, int);
+ size_t, int, int);
protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
protected uint64_t file_signextend(struct magic_set *, struct magic *,
uint64_t);
diff --git a/src/funcs.c b/src/funcs.c
index 0b2a3d0..0d645eb 100644
--- a/src/funcs.c
+++ b/src/funcs.c
@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((unu
/* try soft magic tests */
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
looks_text)) != 0) {
if ((ms->flags & MAGIC_DEBUG) != 0)
(void)fprintf(stderr, "softmagic %d\n", m);
diff --git a/src/softmagic.c b/src/softmagic.c
index 22e1190..56f09ee 100644
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -41,11 +41,12 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11/05 15:44:22 rrt Exp $")
#include <stdlib.h>
#include <time.h>
+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o)))
private int match(struct magic_set *, struct magic *, uint32_t,
- const unsigned char *, size_t, int, int);
+ const unsigned char *, size_t, int, int, int);
private int mget(struct magic_set *, const unsigned char *,
- struct magic *, size_t, unsigned int, int);
+ struct magic *, size_t, unsigned int, int, int);
private int magiccheck(struct magic_set *, struct magic *);
private int32_t mprint(struct magic_set *, struct magic *);
private int32_t moffset(struct magic_set *, struct magic *);
@@ -67,13 +68,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
protected int
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
- int mode, int text)
+ size_t level, int mode, int text)
{
struct mlist *ml;
int rv;
for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
- text)) != 0)
+ text, level)) != 0)
return rv;
return 0;
@@ -108,7 +109,8 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
*/
private int
match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
- const unsigned char *s, size_t nbytes, int mode, int text)
+ const unsigned char *s, size_t nbytes, int mode, int text,
+ int recursion_level)
{
uint32_t magindex = 0;
unsigned int cont_level = 0;
@@ -140,7 +142,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
ms->line = m->lineno;
/* if main entry matches, print it... */
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
case -1:
return -1;
case 0:
@@ -223,7 +225,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
continue;
}
#endif
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
case -1:
return -1;
case 0:
@@ -1018,12 +1020,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
private int
mget(struct magic_set *ms, const unsigned char *s,
- struct magic *m, size_t nbytes, unsigned int cont_level, int text)
+ struct magic *m, size_t nbytes, unsigned int cont_level, int text,
+ int recursion_level)
{
uint32_t offset = ms->offset;
uint32_t count = m->str_range;
union VALUETYPE *p = &ms->ms_value;
+ if (recursion_level >= 20) {
+ file_error(ms, 0, "recursion nesting exceeded");
+ return -1;
+ }
+
if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
return -1;
@@ -1580,10 +1588,12 @@ mget(struct magic_set *ms, const unsigned char *s,
if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
file_printf(ms, "%s", m->desc) == -1)
return -1;
- if (nbytes < offset)
+ if (offset == 0)
return 0;
+ if (OFFSET_OOB(nbytes, offset, 0))
+ return 0;
return file_softmagic(ms, s + offset, nbytes - offset,
- BINTEST, text);
+ recursion_level, BINTEST, text);
case FILE_DEFAULT: /* nothing to check */
default: