From: Christos Zoulas <christos@zoulas.com>
Date: Mon, 10 Oct 2016 20:44:15 +0000 (+0000)
Subject: Fix off-by-one detecting \r\n (Jonas Wagner)
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2ff17368a162a4f5c3013737414ede9acd3f85d3;p=file

Fix off-by-one detecting \r\n (Jonas Wagner)
The bug was found using FUSS, the Fuzzer on a Shoestring. This is a
research project done at the Dependable Systems Lab, EPFL, Switzerland.
---

diff --git a/src/softmagic.c b/src/softmagic.c
index 80b02461..8f5314c7 100644
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -32,7 +32,7 @@
 #include "file.h"
 
 #ifndef	lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.236 2016/07/20 11:27:08 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.237 2016/10/10 20:44:15 christos Exp $")
 #endif	/* lint */
 
 #include "magic.h"
@@ -1227,7 +1227,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 				 memchr(c, '\r', CAST(size_t, (end - c))))));
 			     lines--, b++) {
 				last = b;
-				if (b[0] == '\r' && b[1] == '\n')
+				if (b < end - 1 && b[0] == '\r' && b[1] == '\n')
 					b++;
 			}
 			if (lines)