|
|
@@ -0,0 +1,39 @@
|
|
|
+Subject: Buffer overflow in the mconvert function allows remote attackers to cause a denial of service
|
|
|
+ID: CVE-2014-3478
|
|
|
+Author: Christos Zoulas <christos@zoulas.com>
|
|
|
+Date: Wed Jun 4 17:36:34 2014 +0000
|
|
|
+Origin:
|
|
|
+ commit 27a14bc7ba285a0a5ebfdb55e54001aa11932b08
|
|
|
+Debian-Author: Holger Levsen <holger@debian.org>
|
|
|
+Comment:
|
|
|
+ made apply cleanly based on [origin]
|
|
|
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
|
|
|
+Last-Update: 2014-09-07
|
|
|
+
|
|
|
+ Correctly compute the truncated pascal string size (Francisco Alonso and
|
|
|
+ Jan Kaluza at RedHat)
|
|
|
+
|
|
|
+--- a/src/softmagic.c
|
|
|
++++ b/src/softmagic.c
|
|
|
+@@ -800,10 +800,18 @@
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ case FILE_PSTRING: {
|
|
|
+- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
|
|
|
++ size_t sz = file_pstring_length_size(m);
|
|
|
++ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
|
|
|
+ size_t len = file_pstring_get_length(m, ptr1);
|
|
|
+- if (len >= sizeof(p->s))
|
|
|
+- len = sizeof(p->s) - 1;
|
|
|
++ if (len >= sizeof(p->s)) {
|
|
|
++ /*
|
|
|
++ * The size of the pascal string length (sz)
|
|
|
++ * is 1, 2, or 4. We need at least 1 byte for NUL
|
|
|
++ * termination, but we've already truncated the
|
|
|
++ * string by p->s, so we need to deduct sz.
|
|
|
++ */
|
|
|
++ len = sizeof(p->s) - sz;
|
|
|
++ }
|
|
|
+ while (len--)
|
|
|
+ *ptr1++ = *ptr2++;
|
|
|
+ *ptr1 = '\0';
|
Christoph Biedl