Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-2-1]: src/dist/file/src Apply patch (requested by adrianp in tick...



details:   https://anonhg.NetBSD.org/src/rev/cf25d34eb853
branches:  netbsd-2-1
changeset: 564261:cf25d34eb853
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Sun Apr 08 22:20:52 2007 +0000

description:
Apply patch (requested by adrianp in ticket #11288)
        dist/file/src/file.h    patch
        dist/file/src/funcs.c   patch
        dist/file/src/magic.c   patch
Fix an integer underflow in file_printf which can lead to an exploitable heap
overflow.

diffstat:

 dist/file/src/file.h  |   4 ++--
 dist/file/src/funcs.c |  44 ++++++++++++++++++++++++++------------------
 dist/file/src/magic.c |   7 +++----
 3 files changed, 31 insertions(+), 24 deletions(-)

diffs (148 lines):

diff -r 29e1fed64085 -r cf25d34eb853 dist/file/src/file.h
--- a/dist/file/src/file.h      Thu Apr 05 21:04:57 2007 +0000
+++ b/dist/file/src/file.h      Sun Apr 08 22:20:52 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: file.h,v 1.7 2004/03/23 08:40:12 pooka Exp $   */
+/*     $NetBSD: file.h,v 1.7.6.1 2007/04/08 22:20:52 bouyer Exp $      */
 
 /*
  * Copyright (c) Ian F. Darwin 1986-1995.
@@ -187,7 +187,7 @@
        /* Accumulation buffer */
        char *buf;
        char *ptr;
-       size_t len;
+       size_t left;
        size_t size;
        /* Printable buffer */
        char *pbuf;
diff -r 29e1fed64085 -r cf25d34eb853 dist/file/src/funcs.c
--- a/dist/file/src/funcs.c     Thu Apr 05 21:04:57 2007 +0000
+++ b/dist/file/src/funcs.c     Sun Apr 08 22:20:52 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: funcs.c,v 1.1.1.5 2004/03/23 08:31:43 pooka Exp $      */
+/*     $NetBSD: funcs.c,v 1.1.1.5.6.1 2007/04/08 22:20:52 bouyer Exp $ */
 
 /*
  * Copyright (c) Christos Zoulas 2003.
@@ -30,6 +30,7 @@
  */
 #include "file.h"
 #include "magic.h"
+#include <assert.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
@@ -39,7 +40,7 @@
 #if 0
 FILE_RCSID("@(#)Id: funcs.c,v 1.11 2003/11/11 20:01:46 christos Exp")
 #else
-__RCSID("$NetBSD: funcs.c,v 1.1.1.5 2004/03/23 08:31:43 pooka Exp $");
+__RCSID("$NetBSD: funcs.c,v 1.1.1.5.6.1 2007/04/08 22:20:52 bouyer Exp $");
 #endif
 #endif /* lint */
 /*
@@ -49,28 +50,32 @@
 file_printf(struct magic_set *ms, const char *fmt, ...)
 {
        va_list ap;
-       size_t len;
+       size_t len, size;
        char *buf;
 
        va_start(ap, fmt);
 
-       if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) {
+       if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) {
+               long diff;      /* XXX: really ptrdiff_t */
+
                va_end(ap);
-               if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
+               size = (ms->o.size - ms->o.left) + len + 1024;
+               if ((buf = realloc(ms->o.buf, size)) == NULL) {
                        file_oomem(ms);
                        return -1;
                }
-               ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+               diff = ms->o.ptr - ms->o.buf;
+               ms->o.ptr = buf + diff;
                ms->o.buf = buf;
-               ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
-               ms->o.size = len + 1024;
+               ms->o.left = size - diff;
+               ms->o.size = size;
 
                va_start(ap, fmt);
-               len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+               len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap);
        }
+       va_end(ap);
        ms->o.ptr += len;
-       ms->o.len -= len;
-       va_end(ap);
+       ms->o.left -= len;
        return 0;
 }
 
@@ -156,8 +161,8 @@
 protected const char *
 file_getbuffer(struct magic_set *ms)
 {
-       char *nbuf, *op, *np;
-       size_t nsize;
+       char *pbuf, *op, *np;
+       size_t psize, len;
 
        if (ms->haderr)
                return NULL;
@@ -165,14 +170,17 @@
        if (ms->flags & MAGIC_RAW)
                return ms->o.buf;
 
-       nsize = ms->o.len * 4 + 1;
-       if (ms->o.psize < nsize) {
-               if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) {
+       len = ms->o.size - ms->o.left;
+       /* * 4 is for octal representation, + 1 is for NUL */
+       psize = len * 4 + 1;
+       assert(psize > len);
+       if (ms->o.psize < psize) {
+               if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
                        file_oomem(ms);
                        return NULL;
                }
-               ms->o.psize = nsize;
-               ms->o.pbuf = nbuf;
+               ms->o.psize = psize;
+               ms->o.pbuf = pbuf;
        }
 
        for (np = ms->o.pbuf, op = ms->o.buf; *op; op++) {
diff -r 29e1fed64085 -r cf25d34eb853 dist/file/src/magic.c
--- a/dist/file/src/magic.c     Thu Apr 05 21:04:57 2007 +0000
+++ b/dist/file/src/magic.c     Sun Apr 08 22:20:52 2007 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: magic.c,v 1.8.2.1 2004/05/22 17:31:56 he Exp $ */
+/*     $NetBSD: magic.c,v 1.8.2.1.4.1 2007/04/08 22:20:52 bouyer Exp $ */
 
 /*
  * Copyright (c) Christos Zoulas 2003.
@@ -70,7 +70,7 @@
 #if 0
 FILE_RCSID("@(#)Id: magic.c,v 1.19 2004/03/22 20:37:13 christos Exp")
 #else
-__RCSID("$NetBSD: magic.c,v 1.8.2.1 2004/05/22 17:31:56 he Exp $");
+__RCSID("$NetBSD: magic.c,v 1.8.2.1.4.1 2007/04/08 22:20:52 bouyer Exp $");
 #endif
 #endif /* lint */
 
@@ -98,8 +98,7 @@
                return NULL;
        }
 
-       ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024);
-       ms->o.len = 0;
+       ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024);
        if (ms->o.buf == NULL) {
                free(ms);
                return NULL;



Home | Main Index | Thread Index | Old Index