Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-3-0]: src/dist/file/src Apply patch (requested by adrianp in tick...
details: https://anonhg.NetBSD.org/src/rev/b2188a74afe2
branches: netbsd-3-0
changeset: 579398:b2188a74afe2
user: bouyer <bouyer%NetBSD.org@localhost>
date: Sun Apr 01 15:48:49 2007 +0000
description:
Apply patch (requested by adrianp in ticket #1743)
dist/file/src/file.h patch
dist/file/src/funcs.c patch
dist/file/src/magic.c patch
Fix an integer underflow in file_printf which can lead to an exploitable heap
overflow.
diffstat:
dist/file/src/file.h | 4 ++--
dist/file/src/funcs.c | 44 ++++++++++++++++++++++++++------------------
dist/file/src/magic.c | 7 +++----
3 files changed, 31 insertions(+), 24 deletions(-)
diffs (155 lines):
diff -r 9ac2d3614bf1 -r b2188a74afe2 dist/file/src/file.h
--- a/dist/file/src/file.h Sat Mar 31 14:38:28 2007 +0000
+++ b/dist/file/src/file.h Sun Apr 01 15:48:49 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: file.h,v 1.10 2005/02/21 15:00:05 pooka Exp $ */
+/* $NetBSD: file.h,v 1.10.4.1 2007/04/01 15:48:49 bouyer Exp $ */
/*
* Copyright (c) Ian F. Darwin 1986-1995.
@@ -232,7 +232,7 @@
/* Accumulation buffer */
char *buf;
char *ptr;
- size_t len;
+ size_t left;
size_t size;
/* Printable buffer */
char *pbuf;
diff -r 9ac2d3614bf1 -r b2188a74afe2 dist/file/src/funcs.c
--- a/dist/file/src/funcs.c Sat Mar 31 14:38:28 2007 +0000
+++ b/dist/file/src/funcs.c Sun Apr 01 15:48:49 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: funcs.c,v 1.2 2005/02/21 15:00:05 pooka Exp $ */
+/* $NetBSD: funcs.c,v 1.2.4.1 2007/04/01 15:48:49 bouyer Exp $ */
/*
* Copyright (c) Christos Zoulas 2003.
@@ -28,6 +28,7 @@
*/
#include "file.h"
#include "magic.h"
+#include <assert.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
@@ -37,7 +38,7 @@
#if 0
FILE_RCSID("@(#)Id: funcs.c,v 1.14 2005/01/07 19:17:27 christos Exp")
#else
-__RCSID("$NetBSD: funcs.c,v 1.2 2005/02/21 15:00:05 pooka Exp $");
+__RCSID("$NetBSD: funcs.c,v 1.2.4.1 2007/04/01 15:48:49 bouyer Exp $");
#endif
#endif /* lint */
/*
@@ -47,28 +48,32 @@
file_printf(struct magic_set *ms, const char *fmt, ...)
{
va_list ap;
- size_t len;
+ size_t len, size;
char *buf;
va_start(ap, fmt);
- if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) {
+ if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) {
+ long diff; /* XXX: really ptrdiff_t */
+
va_end(ap);
- if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
+ size = (ms->o.size - ms->o.left) + len + 1024;
+ if ((buf = realloc(ms->o.buf, size)) == NULL) {
file_oomem(ms);
return -1;
}
- ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+ diff = ms->o.ptr - ms->o.buf;
+ ms->o.ptr = buf + diff;
ms->o.buf = buf;
- ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
- ms->o.size = len + 1024;
+ ms->o.left = size - diff;
+ ms->o.size = size;
va_start(ap, fmt);
- len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+ len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap);
}
+ va_end(ap);
ms->o.ptr += len;
- ms->o.len -= len;
- va_end(ap);
+ ms->o.left -= len;
return 0;
}
@@ -156,8 +161,8 @@
protected const char *
file_getbuffer(struct magic_set *ms)
{
- char *nbuf, *op, *np;
- size_t nsize;
+ char *pbuf, *op, *np;
+ size_t psize, len;
if (ms->haderr)
return NULL;
@@ -165,14 +170,17 @@
if (ms->flags & MAGIC_RAW)
return ms->o.buf;
- nsize = ms->o.len * 4 + 1;
- if (ms->o.psize < nsize) {
- if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) {
+ len = ms->o.size - ms->o.left;
+ /* * 4 is for octal representation, + 1 is for NUL */
+ psize = len * 4 + 1;
+ assert(psize > len);
+ if (ms->o.psize < psize) {
+ if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
file_oomem(ms);
return NULL;
}
- ms->o.psize = nsize;
- ms->o.pbuf = nbuf;
+ ms->o.psize = psize;
+ ms->o.pbuf = pbuf;
}
for (np = ms->o.pbuf, op = ms->o.buf; *op; op++) {
diff -r 9ac2d3614bf1 -r b2188a74afe2 dist/file/src/magic.c
--- a/dist/file/src/magic.c Sat Mar 31 14:38:28 2007 +0000
+++ b/dist/file/src/magic.c Sun Apr 01 15:48:49 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: magic.c,v 1.13 2005/02/21 15:00:05 pooka Exp $ */
+/* $NetBSD: magic.c,v 1.13.4.1 2007/04/01 15:48:49 bouyer Exp $ */
/*
* Copyright (c) Christos Zoulas 2003.
@@ -68,7 +68,7 @@
#if 0
FILE_RCSID("@(#)Id: magic.c,v 1.25 2005/01/07 19:17:27 christos Exp")
#else
-__RCSID("$NetBSD: magic.c,v 1.13 2005/02/21 15:00:05 pooka Exp $");
+__RCSID("$NetBSD: magic.c,v 1.13.4.1 2007/04/01 15:48:49 bouyer Exp $");
#endif
#endif /* lint */
@@ -95,7 +95,7 @@
goto free1;
}
- ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024);
+ ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024);
if (ms->o.buf == NULL)
goto free1;
@@ -107,7 +107,6 @@
if (ms->c.off == NULL)
goto free3;
- ms->o.len = 0;
ms->haderr = 0;
ms->error = -1;
ms->mlist = NULL;
Home |
Main Index |
Thread Index |
Old Index