Fixes from Jakub Bogusz <qboosh@pld-linux.org>, stack overwrite, elf overread.

diff --git a/src/readelf.c b/src/readelf.c
index e9fc0e74f29911951b7c7e4b6fe1d5f60036a41b..b18209f95df19c376f4f0a14a79696b818865eda 100644 (file)
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -37,7 +37,7 @@
 #include "readelf.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$Id: readelf.c,v 1.44 2004/11/21 05:20:31 christos Exp $")
+FILE_RCSID("@(#)$Id: readelf.c,v 1.45 2004/11/24 17:38:24 christos Exp $")
 #endif
 
 #ifdef ELFCORE
@@ -254,7 +254,8 @@ dophn_core(struct magic_set *ms, int class, int swap, int fd, off_t off,
                        file_badseek(ms);
                        return -1;
                }
-               bufsize = read(fd, nbuf, sizeof(nbuf));
+               bufsize = read(fd, nbuf,
+                   ((ph_filesz < sizeof(nbuf)) ? ph_filesz : sizeof(nbuf)));
                if (bufsize == -1) {
                        file_badread(ms);
                        return -1;
@@ -325,7 +326,7 @@ donote(struct magic_set *ms, unsigned char *nbuf, size_t offset, size_t size,
        }
 
        offset = ELF_ALIGN(doff + descsz);
-       if (offset + descsz > size) {
+       if (doff + descsz > size) {
                return offset;
        }
 
@@ -710,7 +711,8 @@ dophn_exec(struct magic_set *ms, int class, int swap, int fd, off_t off,
                                file_badseek(ms);
                                return -1;
                        }
-                       bufsize = read(fd, nbuf, sizeof(nbuf));
+                       bufsize = read(fd, nbuf, ((ph_filesz < sizeof(nbuf)) ?
+                           ph_filesz : sizeof(nbuf)));
                        if (bufsize == -1) {
                                file_badread(ms);
                                return -1;

diff --git a/src/softmagic.c b/src/softmagic.c
index 912215d973f8172d9969f2188d321ae339e696b3..1202f72661888adfaf2d20edbdb12cc89a38cd02 100644 (file)
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -39,7 +39,7 @@
 
 
 #ifndef        lint
-FILE_RCSID("@(#)$Id: softmagic.c,v 1.71 2004/11/21 06:09:43 christos Exp $")
+FILE_RCSID("@(#)$Id: softmagic.c,v 1.72 2004/11/24 17:38:25 christos Exp $")
 #endif /* lint */
 
 private int match(struct magic_set *, struct magic *, uint32_t,
@@ -663,7 +663,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
         * might even cause problems
         */
        if (nbytes < sizeof(*p))
-               (void)memset(p + nbytes, '\0', sizeof(*p) - nbytes);
+               (void)memset(((char *)p) + nbytes, '\0', sizeof(*p) - nbytes);
        return 0;
 }