change indirect recursion limit to a use count and bump it from 15 to 50

to prevent abuse.

diff --git a/ChangeLog b/ChangeLog
index 3c0b5a34551fd61ec51ab8d8f89bc432beaaea13..24c06c8a569492596bc2e59f9fc9ed7fc652e30e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2016-03-21  11:56  Christos Zoulas <christos@zoulas.com>
+
+       * Change indirect recursion limit to indirect use count and
+         bump from 15 to 50 to prevent abuse.
+
 2016-03-13  20:39  Christos Zoulas <christos@zoulas.com>
 
        * Add -00 which prints filename\0description\0

diff --git a/src/ascmagic.c b/src/ascmagic.c
index 1cd9adda74871022829fb09a6941d7dcf54687c3..4a53ed0485203e0408e7d5695cb018e8334e161c 100644 (file)
--- a/src/ascmagic.c
+++ b/src/ascmagic.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef        lint
-FILE_RCSID("@(#)$File: ascmagic.c,v 1.91 2014/11/28 02:46:39 christos Exp $")
+FILE_RCSID("@(#)$File: ascmagic.c,v 1.92 2015/04/09 20:01:41 christos Exp $")
 #endif /* lint */
 
 #include "magic.h"
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
                    == NULL)
                        goto done;
                if ((rv = file_softmagic(ms, utf8_buf,
-                   (size_t)(utf8_end - utf8_buf), 0, NULL,
+                   (size_t)(utf8_end - utf8_buf), NULL, NULL,
                    TEXTTEST, text)) == 0)
                        rv = -1;
        }

diff --git a/src/file.h b/src/file.h
index 7177842f858931556952f8a1cd5e51cfea9678db..96bba00728a0d31f4316ea70ad0992d83729effa 100644 (file)
--- a/src/file.h
+++ b/src/file.h
@@ -27,7 +27,7 @@
  */
 /*
  * file.h - definitions for file(1) program
- * @(#)$File: file.h,v 1.175 2016/01/19 04:17:07 christos Exp $
+ * @(#)$File: file.h,v 1.176 2016/02/10 15:57:40 christos Exp $
  */
 
 #ifndef __file_h__
@@ -419,7 +419,7 @@ struct magic_set {
        uint16_t elf_phnum_max;
        uint16_t elf_notes_max;
        uint16_t regex_max;
-#define        FILE_INDIR_MAX                  15
+#define        FILE_INDIR_MAX                  50
 #define        FILE_NAME_MAX                   30
 #define        FILE_ELF_SHNUM_MAX              32768
 #define        FILE_ELF_PHNUM_MAX              2048
@@ -464,7 +464,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
     unichar **, size_t *, const char **, const char **, const char **);
 protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
-    uint16_t, uint16_t *, int, int);
+    uint16_t *, uint16_t *, int, int);
 protected int file_apprentice(struct magic_set *, const char *, int);
 protected int buffer_apprentice(struct magic_set *, struct magic **,
     size_t *, size_t);

diff --git a/src/funcs.c b/src/funcs.c
index b1e91de9ca4e84d3f0691bae0728c0026bb63d27..8225fc448d04b1f0393df2977c7c216f70db6071 100644 (file)
--- a/src/funcs.c
+++ b/src/funcs.c
@@ -27,7 +27,7 @@
 #include "file.h"
 
 #ifndef        lint
-FILE_RCSID("@(#)$File: funcs.c,v 1.87 2015/09/22 15:40:32 christos Exp $")
+FILE_RCSID("@(#)$File: funcs.c,v 1.88 2016/02/10 15:57:40 christos Exp $")
 #endif /* lint */
 
 #include "magic.h"
@@ -251,7 +251,8 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((__u
 
        /* try soft magic tests */
        if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
-               m = file_softmagic(ms, ubuf, nb, 0, NULL, BINTEST, looks_text);
+               m = file_softmagic(ms, ubuf, nb, NULL, NULL, BINTEST,
+                   looks_text);
                if ((ms->flags & MAGIC_DEBUG) != 0)
                        (void)fprintf(stderr, "[try softmagic %d]\n", m);
                if (m) {

diff --git a/src/softmagic.c b/src/softmagic.c
index cca4ab86e6d713ff75ebe4e5ca4146c5e96f55a4..3a785847bf66f2116c6a5cba548e8d678656a2ca 100644 (file)
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -32,7 +32,7 @@
 #include "file.h"
 
 #ifndef        lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.225 2016/01/19 15:08:50 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.226 2016/03/02 18:27:53 christos Exp $")
 #endif /* lint */
 
 #include "magic.h"
@@ -44,10 +44,10 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.225 2016/01/19 15:08:50 christos Exp $")
 #include "der.h"
 
 private int match(struct magic_set *, struct magic *, uint32_t,
-    const unsigned char *, size_t, size_t, int, int, int, uint16_t,
+    const unsigned char *, size_t, size_t, int, int, int, uint16_t *,
     uint16_t *, int *, int *, int *);
 private int mget(struct magic_set *, const unsigned char *,
-    struct magic *, size_t, size_t, unsigned int, int, int, int, uint16_t,
+    struct magic *, size_t, size_t, unsigned int, int, int, int, uint16_t *,
     uint16_t *, int *, int *, int *);
 private int magiccheck(struct magic_set *, struct magic *);
 private int32_t mprint(struct magic_set *, struct magic *);
@@ -88,20 +88,24 @@ private int cvt_64(union VALUETYPE *, const struct magic *);
 /*ARGSUSED1*/          /* nbytes passed for regularity, maybe need later */
 protected int
 file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
-    uint16_t indir_level, uint16_t *name_count, int mode, int text)
+    uint16_t *indir_count, uint16_t *name_count, int mode, int text)
 {
        struct mlist *ml;
        int rv, printed_something = 0, need_separator = 0;
-       uint16_t nc;
+       uint16_t nc, ic;
 
        if (name_count == NULL) {
                nc = 0;
                name_count = &nc;
        }
+       if (indir_count == NULL) {
+               ic = 0;
+               indir_count = ⁣
+       }
 
        for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
                if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
-                   text, 0, indir_level, name_count,
+                   text, 0, indir_count, name_count,
                    &printed_something, &need_separator, NULL)) != 0)
                        return rv;
 
@@ -157,7 +161,7 @@ file_fmtcheck(struct magic_set *ms, const struct magic *m, const char *def,
 private int
 match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
     const unsigned char *s, size_t nbytes, size_t offset, int mode, int text,
-    int flip, uint16_t indir_level, uint16_t *name_count,
+    int flip, uint16_t *indir_count, uint16_t *name_count,
     int *printed_something, int *need_separator, int *returnval)
 {
        uint32_t magindex = 0;
@@ -195,7 +199,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
                /* if main entry matches, print it... */
                switch (mget(ms, s, m, nbytes, offset, cont_level, mode, text,
-                   flip, indir_level, name_count,
+                   flip, indir_count, name_count,
                    printed_something, need_separator, returnval)) {
                case -1:
                        return -1;
@@ -285,7 +289,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
                        }
 #endif
                        switch (mget(ms, s, m, nbytes, offset, cont_level, mode,
-                           text, flip, indir_level, name_count,
+                           text, flip, indir_count, name_count,
                            printed_something, need_separator, returnval)) {
                        case -1:
                                return -1;
@@ -1242,7 +1246,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 private int
 mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
     size_t nbytes, size_t o, unsigned int cont_level, int mode, int text,
-    int flip, uint16_t indir_level, uint16_t *name_count,
+    int flip, uint16_t *indir_count, uint16_t *name_count,
     int *printed_something, int *need_separator, int *returnval)
 {
        uint32_t offset = ms->offset;
@@ -1253,9 +1257,9 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
        union VALUETYPE *p = &ms->ms_value;
        struct mlist ml;
 
-       if (indir_level >= ms->indir_max) {
-               file_error(ms, 0, "indirect recursion nesting (%hu) exceeded",
-                   indir_level);
+       if (*indir_count >= ms->indir_max) {
+               file_error(ms, 0, "indirect count (%hu) exceeded",
+                   *indir_count);
                return -1;
        }
 
@@ -1274,7 +1278,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
                    SIZE_T_FORMAT "u, " "nbytes=%" SIZE_T_FORMAT
                    "u, il=%hu, nc=%hu)\n",
                    m->type, m->flag, offset, o, nbytes,
-                   indir_level, *name_count);
+                   *indir_count, *name_count);
                mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
 #ifndef COMPILE_ONLY
                file_mdump(m);
@@ -1704,8 +1708,9 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
                if ((pb = file_push_buffer(ms)) == NULL)
                        return -1;
 
+               (*indir_count)++;
                rv = file_softmagic(ms, s + offset, nbytes - offset,
-                   indir_level + 1, name_count, BINTEST, text);
+                   indir_count, name_count, BINTEST, text);
 
                if ((ms->flags & MAGIC_DEBUG) != 0)
                        fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
@@ -1745,7 +1750,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
                if (m->flag & NOSPACE)
                        *need_separator = 0;
                rv = match(ms, ml.magic, ml.nmagic, s, nbytes, offset + o,
-                   mode, text, flip, indir_level, name_count,
+                   mode, text, flip, indir_count, name_count,
                    printed_something, need_separator, returnval);
                if (rv != 1)
                    *need_separator = oneed_separator;