Don't lookup past the end of the buffer.

From: Chad Hanson <chanson@tcs-sec.com>

diff --git a/src/magic.c b/src/magic.c
index 3fe8273aaf9d3bcf8bc966d61b50cfdbb41b9732..87f5529ed8b22d4e663e54f9d5ea3f7ffa22d34a 100644 (file)
--- a/src/magic.c
+++ b/src/magic.c
@@ -65,7 +65,7 @@
 #include "patchlevel.h"
 
 #ifndef        lint
-FILE_RCSID("@(#)$Id: magic.c,v 1.14 2003/10/14 19:29:55 christos Exp $")
+FILE_RCSID("@(#)$Id: magic.c,v 1.15 2003/10/15 01:51:24 christos Exp $")
 #endif /* lint */
 
 #ifdef __EMX__
@@ -269,7 +269,7 @@ magic_file(struct magic_set *ms, const char *inname)
                        return file_getbuffer(ms);
                }
 #endif
-               if (file_buffer(ms, buf, (size_t)nbytes) == -1)
+               if (file_buffer(ms, buf, (size_t)nbytes - 1) == -1)
                        goto done;
 #ifdef BUILTIN_ELF
                if (nbytes > 5) {

diff --git a/src/softmagic.c b/src/softmagic.c
index e70b5243ed9235cca8a4e5671cffaecd4976a80b..0172ba2507f8003afe061c45ecc9d6aa44d5aaee 100644 (file)
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -44,7 +44,7 @@
 
 
 #ifndef        lint
-FILE_RCSID("@(#)$Id: softmagic.c,v 1.62 2003/10/14 19:29:55 christos Exp $")
+FILE_RCSID("@(#)$Id: softmagic.c,v 1.63 2003/10/15 01:51:24 christos Exp $")
 #endif /* lint */
 
 private int match(struct magic_set *, struct magic *, uint32_t,
@@ -636,6 +636,40 @@ mget(struct magic_set *ms, union VALUETYPE *p, const unsigned char *s,
                        memcpy(p, s + offset, nbytes - offset);
        }
 
+       /* Verify we have enough data to match magic type */
+       switch (m->type) {
+               case FILE_BYTE:
+                       if (nbytes < (offset + 1)) /* should alway be true */
+                               return 0;
+                       break;
+
+               case FILE_SHORT:
+               case FILE_BESHORT:
+               case FILE_LESHORT:
+                       if (nbytes < (offset + 2))
+                               return 0;
+                       break;
+
+               case FILE_LONG:
+               case FILE_BELONG:
+               case FILE_LELONG:
+               case FILE_DATE:
+               case FILE_BEDATE:
+               case FILE_LEDATE:
+               case FILE_LDATE:
+               case FILE_BELDATE:
+               case FILE_LELDATE:
+                       if (nbytes < (offset + 4))
+                               return 0;
+                       break;
+
+               case FILE_STRING:
+               case FILE_PSTRING:
+                       if (nbytes < (offset + m->vallen))
+                               return 0;
+                       break;
+       }
+
        if ((ms->flags & MAGIC_DEBUG) != 0) {
                mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
                file_mdump(m);