From: Christos Zoulas Date: Wed, 15 Oct 2003 01:51:24 +0000 (+0000) Subject: Don't lookup past the end of the buffer. X-Git-Tag: FILE5_05~929 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ee34c1968aa09bee50b5ebd8c87ed01ba3e7893f;p=file Don't lookup past the end of the buffer. From: Chad Hanson --- diff --git a/src/magic.c b/src/magic.c index 3fe8273a..87f5529e 100644 --- a/src/magic.c +++ b/src/magic.c @@ -65,7 +65,7 @@ #include "patchlevel.h" #ifndef lint -FILE_RCSID("@(#)$Id: magic.c,v 1.14 2003/10/14 19:29:55 christos Exp $") +FILE_RCSID("@(#)$Id: magic.c,v 1.15 2003/10/15 01:51:24 christos Exp $") #endif /* lint */ #ifdef __EMX__ @@ -269,7 +269,7 @@ magic_file(struct magic_set *ms, const char *inname) return file_getbuffer(ms); } #endif - if (file_buffer(ms, buf, (size_t)nbytes) == -1) + if (file_buffer(ms, buf, (size_t)nbytes - 1) == -1) goto done; #ifdef BUILTIN_ELF if (nbytes > 5) { diff --git a/src/softmagic.c b/src/softmagic.c index e70b5243..0172ba25 100644 --- a/src/softmagic.c +++ b/src/softmagic.c @@ -44,7 +44,7 @@ #ifndef lint -FILE_RCSID("@(#)$Id: softmagic.c,v 1.62 2003/10/14 19:29:55 christos Exp $") +FILE_RCSID("@(#)$Id: softmagic.c,v 1.63 2003/10/15 01:51:24 christos Exp $") #endif /* lint */ private int match(struct magic_set *, struct magic *, uint32_t, @@ -636,6 +636,40 @@ mget(struct magic_set *ms, union VALUETYPE *p, const unsigned char *s, memcpy(p, s + offset, nbytes - offset); } + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: + if (nbytes < (offset + 1)) /* should alway be true */ + return 0; + break; + + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: + if (nbytes < (offset + 2)) + return 0; + break; + + case FILE_LONG: + case FILE_BELONG: + case FILE_LELONG: + case FILE_DATE: + case FILE_BEDATE: + case FILE_LEDATE: + case FILE_LDATE: + case FILE_BELDATE: + case FILE_LELDATE: + if (nbytes < (offset + 4)) + return 0; + break; + + case FILE_STRING: + case FILE_PSTRING: + if (nbytes < (offset + m->vallen)) + return 0; + break; + } + if ((ms->flags & MAGIC_DEBUG) != 0) { mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE)); file_mdump(m);