From: Christos Zoulas Date: Wed, 24 Nov 2004 17:38:24 +0000 (+0000) Subject: Fixes from Jakub Bogusz , stack overwrite, elf overread. X-Git-Tag: FILE4_12~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=60cbd2f805f11c8eb32fdf2b153daf039d7809d1;p=file Fixes from Jakub Bogusz , stack overwrite, elf overread. --- diff --git a/src/readelf.c b/src/readelf.c index e9fc0e74..b18209f9 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -37,7 +37,7 @@ #include "readelf.h" #ifndef lint -FILE_RCSID("@(#)$Id: readelf.c,v 1.44 2004/11/21 05:20:31 christos Exp $") +FILE_RCSID("@(#)$Id: readelf.c,v 1.45 2004/11/24 17:38:24 christos Exp $") #endif #ifdef ELFCORE @@ -254,7 +254,8 @@ dophn_core(struct magic_set *ms, int class, int swap, int fd, off_t off, file_badseek(ms); return -1; } - bufsize = read(fd, nbuf, sizeof(nbuf)); + bufsize = read(fd, nbuf, + ((ph_filesz < sizeof(nbuf)) ? ph_filesz : sizeof(nbuf))); if (bufsize == -1) { file_badread(ms); return -1; @@ -325,7 +326,7 @@ donote(struct magic_set *ms, unsigned char *nbuf, size_t offset, size_t size, } offset = ELF_ALIGN(doff + descsz); - if (offset + descsz > size) { + if (doff + descsz > size) { return offset; } @@ -710,7 +711,8 @@ dophn_exec(struct magic_set *ms, int class, int swap, int fd, off_t off, file_badseek(ms); return -1; } - bufsize = read(fd, nbuf, sizeof(nbuf)); + bufsize = read(fd, nbuf, ((ph_filesz < sizeof(nbuf)) ? + ph_filesz : sizeof(nbuf))); if (bufsize == -1) { file_badread(ms); return -1; diff --git a/src/softmagic.c b/src/softmagic.c index 912215d9..1202f726 100644 --- a/src/softmagic.c +++ b/src/softmagic.c @@ -39,7 +39,7 @@ #ifndef lint -FILE_RCSID("@(#)$Id: softmagic.c,v 1.71 2004/11/21 06:09:43 christos Exp $") +FILE_RCSID("@(#)$Id: softmagic.c,v 1.72 2004/11/24 17:38:25 christos Exp $") #endif /* lint */ private int match(struct magic_set *, struct magic *, uint32_t, @@ -663,7 +663,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, * might even cause problems */ if (nbytes < sizeof(*p)) - (void)memset(p + nbytes, '\0', sizeof(*p) - nbytes); + (void)memset(((char *)p) + nbytes, '\0', sizeof(*p) - nbytes); return 0; }