diff options
| author | Christos Zoulas <christos@zoulas.com> | 2007-03-01 22:14:54 +0000 |
|---|---|---|
| committer | Christos Zoulas <christos@zoulas.com> | 2007-03-01 22:14:54 +0000 |
| commit | 7e8ade7cbece0d0c87c0f07381c29ca3731324fe (patch) | |
| tree | 9cde1b113dea0c0ea43028ec292f20c64a3b26df | |
| parent | b7840ce10ca9c220af905b1612e96dd512ef0594 (diff) | |
| download | file-git-7e8ade7cbece0d0c87c0f07381c29ca3731324fe.tar.gz | |
welcome to 4.20
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | config.h.in | 3 | ||||
| -rwxr-xr-x | configure | 3 | ||||
| -rw-r--r-- | configure.in | 4 | ||||
| -rw-r--r-- | src/compress.c | 6 | ||||
| -rw-r--r-- | src/file.h | 4 | ||||
| -rw-r--r-- | src/funcs.c | 50 | ||||
| -rw-r--r-- | src/magic.c | 5 | ||||
| -rw-r--r-- | src/patchlevel.h | 7 |
9 files changed, 55 insertions, 32 deletions
@@ -1,4 +1,9 @@ +2007-02-08 17:30 Christos Zoulas <christos@zoulas.com> + + * fix integer underflow in file_printf which can lead to + to exploitable heap overflow (Jean-Sebastien Guay-Lero) + 2007-02-05 11:35 Christos Zoulas <christos@zoulas.com> * make socket/pipe reading more robust diff --git a/config.h.in b/config.h.in index b165be8f..f72087bb 100644 --- a/config.h.in +++ b/config.h.in @@ -85,6 +85,9 @@ /* Define to 1 if you have the <sys/stat.h> header file. */ #undef HAVE_SYS_STAT_H +/* Define to 1 if you have the <sys/time.h> header file. */ +#undef HAVE_SYS_TIME_H + /* Define to 1 if you have the <sys/types.h> header file. */ #undef HAVE_SYS_TYPES_H @@ -20823,7 +20823,8 @@ done -for ac_header in sys/mman.h sys/stat.h sys/types.h sys/utime.h + +for ac_header in sys/mman.h sys/stat.h sys/types.h sys/utime.h sys/time.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` if eval "test \"\${$as_ac_Header+set}\" = set"; then diff --git a/configure.in b/configure.in index de1f4c0c..df4ca298 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_INIT AC_CONFIG_SRCDIR([src/file.c]) -AM_INIT_AUTOMAKE(file, 4.19) +AM_INIT_AUTOMAKE(file, 4.20) AM_CONFIG_HEADER([config.h]) AM_MAINTAINER_MODE @@ -81,7 +81,7 @@ AC_HEADER_SYS_WAIT AC_HEADER_STDINT AC_CHECK_HEADERS(fcntl.h locale.h stdint.h inttypes.h unistd.h getopt.h) AC_CHECK_HEADERS(utime.h wchar.h wctype.h) -AC_CHECK_HEADERS(sys/mman.h sys/stat.h sys/types.h sys/utime.h) +AC_CHECK_HEADERS(sys/mman.h sys/stat.h sys/types.h sys/utime.h sys/time.h) dnl Checks for typedefs, structures, and compiler characteristics. AC_C_CONST diff --git a/src/compress.c b/src/compress.c index 0b17adaa..e714d547 100644 --- a/src/compress.c +++ b/src/compress.c @@ -46,12 +46,16 @@ #ifdef HAVE_SYS_WAIT_H #include <sys/wait.h> #endif +#if defined(HAVE_SYS_TIME_H) +#include <sys/time.h> +#endif #ifdef HAVE_LIBZ #include <zlib.h> #endif + #ifndef lint -FILE_RCSID("@(#)$File: compress.c,v 1.48 2007/01/25 21:05:46 christos Exp $") +FILE_RCSID("@(#)$File: compress.c,v 1.49 2007/02/05 16:46:40 christos Exp $") #endif private struct { @@ -27,7 +27,7 @@ */ /* * file.h - definitions for file(1) program - * @(#)$File: file.h,v 1.87 2007/01/25 21:05:47 christos Exp $ + * @(#)$File: file.h,v 1.88 2007/02/05 16:46:40 christos Exp $ */ #ifndef __file_h__ @@ -278,7 +278,7 @@ struct magic_set { /* Accumulation buffer */ char *buf; char *ptr; - size_t len; + size_t left; size_t size; /* Printable buffer */ char *pbuf; diff --git a/src/funcs.c b/src/funcs.c index 6b7c6bc3..d944b140 100644 --- a/src/funcs.c +++ b/src/funcs.c @@ -26,6 +26,7 @@ */ #include "file.h" #include "magic.h" +#include <assert.h> #include <stdarg.h> #include <stdlib.h> #include <string.h> @@ -38,7 +39,7 @@ #endif #ifndef lint -FILE_RCSID("@(#)$File: funcs.c,v 1.26 2007/01/25 21:05:47 christos Exp $") +FILE_RCSID("@(#)$File: funcs.c,v 1.27 2007/02/05 16:46:40 christos Exp $") #endif /* lint */ #ifndef HAVE_VSNPRINTF @@ -52,28 +53,32 @@ protected int file_printf(struct magic_set *ms, const char *fmt, ...) { va_list ap; - size_t len; + size_t len, size; char *buf; va_start(ap, fmt); - if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) { + if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) { + long diff; /* XXX: really ptrdiff_t */ + va_end(ap); - if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) { - file_oomem(ms, len + 1024); + size = (ms->o.size - ms->o.left) + len + 1024; + if ((buf = realloc(ms->o.buf, size)) == NULL) { + file_oomem(ms, size); return -1; } - ms->o.ptr = buf + (ms->o.ptr - ms->o.buf); + diff = ms->o.ptr - ms->o.buf; + ms->o.ptr = buf + diff; ms->o.buf = buf; - ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf); - ms->o.size = len + 1024; + ms->o.left = size - diff; + ms->o.size = size; va_start(ap, fmt); - len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap); + len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap); } - ms->o.ptr += len; - ms->o.len -= len; va_end(ap); + ms->o.ptr += len; + ms->o.left -= len; return 0; } @@ -230,8 +235,8 @@ file_reset(struct magic_set *ms) protected const char * file_getbuffer(struct magic_set *ms) { - char *nbuf, *op, *np; - size_t nsize; + char *pbuf, *op, *np; + size_t psize, len; if (ms->haderr) return NULL; @@ -239,14 +244,17 @@ file_getbuffer(struct magic_set *ms) if (ms->flags & MAGIC_RAW) return ms->o.buf; - nsize = ms->o.len * 4 + 1; - if (ms->o.psize < nsize) { - if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) { - file_oomem(ms, nsize); + len = ms->o.size - ms->o.left; + /* * 4 is for octal representation, + 1 is for NUL */ + psize = len * 4 + 1; + assert(psize > len); + if (ms->o.psize < psize) { + if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) { + file_oomem(ms, psize); return NULL; } - ms->o.psize = nsize; - ms->o.pbuf = nbuf; + ms->o.psize = psize; + ms->o.pbuf = pbuf; } #if defined(HAVE_WCHAR_H) && defined(HAVE_MBRTOWC) && defined(HAVE_WCWIDTH) @@ -300,8 +308,8 @@ file_getbuffer(struct magic_set *ms) } /* - * Yes these wrappers suffer from buffer overflows, but if your OS does not have - * the real functions, maybe you should consider replacing your OS? + * Yes these wrappers suffer from buffer overflows, but if your OS does not + * have the real functions, maybe you should consider replacing your OS? */ #ifndef HAVE_VSNPRINTF int diff --git a/src/magic.c b/src/magic.c index e12be838..4de4ec7e 100644 --- a/src/magic.c +++ b/src/magic.c @@ -63,7 +63,7 @@ #include "patchlevel.h" #ifndef lint -FILE_RCSID("@(#)$File: magic.c,v 1.38 2007/01/25 21:05:47 christos Exp $") +FILE_RCSID("@(#)$File: magic.c,v 1.39 2007/02/05 16:46:40 christos Exp $") #endif /* lint */ #ifdef __EMX__ @@ -94,7 +94,7 @@ magic_open(int flags) goto free1; } - ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024); + ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024); if (ms->o.buf == NULL) goto free1; @@ -106,7 +106,6 @@ magic_open(int flags) if (ms->c.li == NULL) goto free3; - ms->o.len = 0; ms->haderr = 0; ms->error = -1; ms->mlist = NULL; diff --git a/src/patchlevel.h b/src/patchlevel.h index bdf70d5a..c05b9393 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -1,11 +1,14 @@ #define FILE_VERSION_MAJOR 4 -#define patchlevel 19 +#define patchlevel 20 /* * Patchlevel file for Ian Darwin's MAGIC command. - * $File: patchlevel.h,v 1.62 2006/12/11 21:49:58 christos Exp $ + * $File: patchlevel.h,v 1.63 2007/01/12 17:38:28 christos Exp $ * * $Log: patchlevel.h,v $ + * Revision 1.64 2007/03/01 22:14:55 christos + * welcome to 4.20 + * * Revision 1.63 2007/01/12 17:38:28 christos * Use File id. * |