Cherry-pick a lot of patches that fix obvious issues or seem wise to include. Also: Closes: #922968 [CVE-2019-8905 CVE-2019-8907]

debian/patches/cherry-pick.FILE5_30-56-g6623a8e0.off-by-one-reading-offset-found-by-oss-fuzz.patch

@@ -0,0 +1,16 @@
+Subject: Off-by-one reading offset (found by oss-fuzz)
+Origin: FILE5_30-56-g6623a8e0 <https://github.com/file/file/commit/FILE5_30-56-g6623a8e0>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Sun Apr 30 17:05:02 2017 +0000
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -861,7 +861,7 @@
+ 		DPRINTF(("Past end %p < %p\n", e, p));
+ 		return NULL;
+ 	}
+-	if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
++	if (cdf_check_stream_offset(sst, h, p, (tail + 1) * sizeof(uint32_t),
+ 	    __LINE__) == -1)
+ 		return NULL;
+ 	ofs = CDF_GETUINT32(p, tail);

debian/patches/cherry-pick.FILE5_31-21-g55cb70a2.add-another-bounds-check-oss-fuzz-issue-2242.patch

@@ -0,0 +1,16 @@
+Subject: Add another bounds check: OSS-FUZZ issue 2242
+Origin: FILE5_31-21-g55cb70a2 <https://github.com/file/file/commit/FILE5_31-21-g55cb70a2>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Mon Jun 19 18:30:25 2017 +0000
+
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -1199,7 +1199,7 @@
+ 			const char *end;
+ 			size_t lines, linecnt, bytecnt;
+ 
+-			if (s == NULL) {
++			if (s == NULL || nbytes < offset) {
+ 				ms->search.s_len = 0;
+ 				ms->search.s = NULL;
+ 				return 0;

debian/patches/cherry-pick.FILE5_32-61-gfb956c0a.decrease-the-sector-limit-oss-fuzz-4577.patch

@@ -0,0 +1,16 @@
+Subject: Decrease the sector limit (oss-fuzz 4577)
+Origin: FILE5_32-61-gfb956c0a <https://github.com/file/file/commit/FILE5_32-61-gfb956c0a>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Thu Dec 14 01:43:29 2017 +0000
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -430,7 +430,7 @@
+ 		if (h->h_master_sat[i] == CDF_SECID_FREE)
+ 			break;
+ 
+-#define CDF_SEC_LIMIT (UINT32_MAX / (8 * ss))
++#define CDF_SEC_LIMIT (UINT32_MAX / (64 * ss))
+ 	if ((nsatpersec > 0 &&
+ 	    h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) ||
+ 	    i > CDF_SEC_LIMIT) {

debian/patches/cherry-pick.FILE5_32-65-gfc4b6e34.drop-the-limit-lower-to-satisfy-oss-fuzz-4682.patch

@@ -0,0 +1,18 @@
+Subject: Drop the limit lower to satisfy oss-fuzz 4682
+Origin: FILE5_32-65-gfc4b6e34 <https://github.com/file/file/commit/FILE5_32-65-gfc4b6e34>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue Dec 19 00:21:21 2017 +0000
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -840,8 +840,8 @@
+ 	return 0;
+ }
+ 
+-#define CDF_SHLEN_LIMIT (UINT32_MAX / 8)
+-#define CDF_PROP_LIMIT (UINT32_MAX / (8 * sizeof(cdf_property_info_t)))
++#define CDF_SHLEN_LIMIT (UINT32_MAX / 64)
++#define CDF_PROP_LIMIT (UINT32_MAX / (64 * sizeof(cdf_property_info_t)))
+ 
+ static const void *
+ cdf_offset(const void *p, size_t l)

debian/patches/cherry-pick.FILE5_33-34-g72e9a7fe.pr-6-tobias-out-of-boundary-read-in-der-parser.patch

@@ -0,0 +1,16 @@
+Subject: PR/6: tobias: out of boundary read in DER parser
+Origin: FILE5_33-34-g72e9a7fe <https://github.com/file/file/commit/FILE5_33-34-g72e9a7fe>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Sat Jun 23 15:15:26 2018 +0000
+
+--- a/src/der.c
++++ b/src/der.c
+@@ -199,7 +199,7 @@
+ 	for (i = 0; i < digits; i++)
+ 		len = (len << 8) | c[(*p)++];
+ 
+-	if (*p + len >= l)
++	if (len > UINT32_MAX - *p || *p + len >= l)
+ 		return DER_BAD;
+ 	return CAST(uint32_t, len);
+ }

debian/patches/cherry-pick.FILE5_34-13-gcd752e7c.try-to-use-the-right-off-t-max.patch

@@ -0,0 +1,44 @@
+Subject: Try to use the "right" off_t_max
+Origin: FILE5_34-13-gcd752e7c <https://github.com/file/file/commit/FILE5_34-13-gcd752e7c>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 09:53:18 2018 +0000
+
+--- a/src/apprentice.c
++++ b/src/apprentice.c
+@@ -55,11 +55,6 @@
+ #include <limits.h>
+ #endif
+ 
+-#ifndef SSIZE_MAX
+-#define MAXMAGIC_SIZE        ((ssize_t)0x7fffffff)
+-#else
+-#define MAXMAGIC_SIZE        SSIZE_MAX
+-#endif
+ 
+ #define	EATAB {while (isascii((unsigned char) *l) && \
+ 		      isspace((unsigned char) *l))  ++l;}
+@@ -300,6 +295,15 @@
+ 	return p->type;
+ }
+ 
++private off_t
++maxoff_t(void) {
++	if (sizeof(off_t) == sizeof(int))
++		return CAST(off_t, INT_MAX);
++	if (sizeof(off_t) == sizeof(long))
++		return CAST(off_t, LONG_MAX);
++	return 0x7fffffff;
++}
++
+ private int
+ get_standard_integer_type(const char *l, const char **t)
+ {
+@@ -2950,7 +2954,7 @@
+ 		file_error(ms, errno, "cannot stat `%s'", dbname);
+ 		goto error;
+ 	}
+-	if (st.st_size < 8 || st.st_size > MAXMAGIC_SIZE) {
++	if (st.st_size < 8 || st.st_size > maxoff_t()) {
+ 		file_error(ms, 0, "file `%s' is too %s", dbname,
+ 		    st.st_size < 8 ? "small" : "large");
+ 		goto error;

debian/patches/cherry-pick.FILE5_34-15-ge0805be4.fix-leak-on-error-found-by-coverity.patch

@@ -0,0 +1,20 @@
+Subject: Fix leak on error, found by coverity
+Origin: FILE5_34-15-ge0805be4 <https://github.com/file/file/commit/FILE5_34-15-ge0805be4>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 09:59:45 2018 +0000
+
+--- a/src/compress.c
++++ b/src/compress.c
+@@ -247,8 +247,11 @@
+ 			 * XXX: If file_buffer fails here, we overwrite
+ 			 * the compressed text. FIXME.
+ 			 */
+-			if (file_buffer(ms, -1, NULL, buf, nbytes) == -1)
++			if (file_buffer(ms, -1, NULL, buf, nbytes) == -1) {
++				if (file_pop_buffer(ms, pb) != NULL)
++					abort();
+ 				goto error;
++			}
+ 			if ((rbuf = file_pop_buffer(ms, pb)) != NULL) {
+ 				if (file_printf(ms, "%s", rbuf) == -1) {
+ 					free(rbuf);

debian/patches/cherry-pick.FILE5_34-16-g2f866ff0.better-error-handling-found-by-coverity.patch

@@ -0,0 +1,17 @@
+Subject: Better error handling, found by coverity
+Origin: FILE5_34-16-g2f866ff0 <https://github.com/file/file/commit/FILE5_34-16-g2f866ff0>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 10:02:20 2018 +0000
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -891,7 +891,8 @@
+ 
+ 	offset = get_offset_from_virtaddr(ms, swap, clazz, fd, ph_off, ph_num,
+ 	    fsize, virtaddr);
+-	if ((buflen = pread(fd, buf, CAST(size_t, buflen), offset)) <= 0) {
++	if (offset < 0 ||
++	    (buflen = pread(fd, buf, CAST(size_t, buflen), offset)) <= 0) {
+ 		file_badread(ms);
+ 		return 0;
+ 	}

debian/patches/cherry-pick.FILE5_34-17-g54bec4a0.eliminate-toctou-by-using-fstat-and-always-opening-with-non-blocking-i-o.patch

@@ -0,0 +1,44 @@
+Subject: Eliminate toctou by using fstat and always opening with non-blocking i/o
+Origin: FILE5_34-17-g54bec4a0 <https://github.com/file/file/commit/FILE5_34-17-g54bec4a0>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 10:07:00 2018 +0000
+
+    Found by coverity.
+
+--- a/src/file.h
++++ b/src/file.h
+@@ -597,6 +597,9 @@
+ #ifndef O_BINARY
+ #define O_BINARY	0
+ #endif
++#ifndef O_NONBLOCK
++#define O_NONBLOCK	0
++#endif
+ 
+ #ifndef __cplusplus
+ #if defined(__GNUC__) && (__GNUC__ >= 3)
+--- a/src/magic.c
++++ b/src/magic.c
+@@ -442,18 +442,12 @@
+ 		else
+ 			pos = lseek(fd, (off_t)0, SEEK_CUR);
+ 	} else {
+-		int flags = O_RDONLY|O_BINARY;
+-		int okstat = stat(inname, &sb) == 0;
+-
+-		if (okstat && S_ISFIFO(sb.st_mode)) {
+-#ifdef O_NONBLOCK
+-			flags |= O_NONBLOCK;
+-#endif
+-			ispipe = 1;
+-		}
+-
++		int flags = O_RDONLY|O_BINARY|O_NONBLOCK;
+ 		errno = 0;
+ 		if ((fd = open(inname, flags)) < 0) {
++			int okstat = fstat(fd, &sb) == 0;
++			if (okstat && S_ISFIFO(sb.st_mode))
++				ispipe = 1;
+ #ifdef WIN32
+ 			/*
+ 			 * Can't stat, can't open.  It may have been opened in

debian/patches/cherry-pick.FILE5_34-18-gbd8fafe3.check-file-printf.patch

@@ -0,0 +1,22 @@
+Subject: Check file_printf()
+Origin: FILE5_34-18-gbd8fafe3 <https://github.com/file/file/commit/FILE5_34-18-gbd8fafe3>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 10:09:47 2018 +0000
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -545,9 +545,11 @@
+     size_t noff, size_t doff, int *flags)
+ {
+ 	if (namesz == 5 && strcmp((char *)&nbuf[noff], "SuSE") == 0 &&
+-	    type == NT_GNU_VERSION && descsz == 2) {
+-	    *flags |= FLAGS_DID_OS_NOTE;
+-	    file_printf(ms, ", for SuSE %d.%d", nbuf[doff], nbuf[doff + 1]);
++		type == NT_GNU_VERSION && descsz == 2) {
++		*flags |= FLAGS_DID_OS_NOTE;
++		if (file_printf(ms, ", for SuSE %d.%d", nbuf[doff],
++		    nbuf[doff + 1]) == -1)
++		    return -1;
+ 	    return 1;
+ 	}
+ 

debian/patches/cherry-pick.FILE5_34-19-gfda25acb.appease-coverity-by-calling-umask-around-mkstemp-3.patch

@@ -0,0 +1,17 @@
+Subject: Appease coverity by calling umask around mkstemp(3)
+Origin: FILE5_34-19-gfda25acb <https://github.com/file/file/commit/FILE5_34-19-gfda25acb>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 10:11:16 2018 +0000
+
+--- a/src/compress.c
++++ b/src/compress.c
+@@ -397,7 +397,9 @@
+ #else
+ 	{
+ 		int te;
++		int ou = umask(0);
+ 		tfd = mkstemp(buf);
++		(void)umask(ou);
+ 		te = errno;
+ 		(void)unlink(buf);
+ 		errno = te;

debian/patches/cherry-pick.FILE5_34-22-g7b807237.portability-fix-dont-call-qsort-with-null-0.patch

@@ -0,0 +1,27 @@
+Subject: Portability fix, don't call qsort with NULL/0. Found by coverity
+Origin: FILE5_34-22-g7b807237 <https://github.com/file/file/commit/FILE5_34-22-g7b807237>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Aug 1 10:18:02 2018 +0000
+
+--- a/src/apprentice.c
++++ b/src/apprentice.c
+@@ -1347,12 +1347,14 @@
+ 			filearr[files++] = mfn;
+ 		}
+ 		closedir(dir);
+-		qsort(filearr, files, sizeof(*filearr), cmpstrp);
+-		for (i = 0; i < files; i++) {
+-			load_1(ms, action, filearr[i], &errs, mset);
+-			free(filearr[i]);
++		if (filearr) {
++			qsort(filearr, files, sizeof(*filearr), cmpstrp);
++			for (i = 0; i < files; i++) {
++				load_1(ms, action, filearr[i], &errs, mset);
++				free(filearr[i]);
++			}
++			free(filearr);
+ 		}
+-		free(filearr);
+ 	} else
+ 		load_1(ms, action, fn, &errs, mset);
+ 	if (errs)

debian/patches/cherry-pick.FILE5_34-32-g813f1b8a.correct-error-handling-for-file-printf-coverity.patch

@@ -0,0 +1,28 @@
+Subject: Correct error handling for file_printf() (coverity)
+Origin: FILE5_34-32-g813f1b8a <https://github.com/file/file/commit/FILE5_34-32-g813f1b8a>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Thu Aug 2 12:46:02 2018 +0000
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -1035,14 +1035,16 @@
+ 	}
+ 
+ 	if (namesz & 0x80000000) {
+-	    (void)file_printf(ms, ", bad note name size 0x%lx",
+-		(unsigned long)namesz);
++		if (file_printf(ms, ", bad note name size 0x%lxx",
++		    CAST(unsigned long, namesz)) == -1)
++			return -1;
+ 	    return 0;
+ 	}
+ 
+ 	if (descsz & 0x80000000) {
+-	    (void)file_printf(ms, ", bad note description size 0x%lx",
+-		(unsigned long)descsz);
++		if (file_printf(ms, ", bad note description size 0x%lx",
++		    CAST(unsigned long, descsz)) == -1)
++		    	return -1;
+ 	    return 0;
+ 	}
+ 

debian/patches/cherry-pick.FILE5_34-65-ge64f6d71.fix-use-after-free-https-runtimeverification-com.patch

@@ -0,0 +1,45 @@
+Subject: Fix use-after-free (https://runtimeverification.com/)
+Origin: FILE5_34-65-ge64f6d71 <https://github.com/file/file/commit/FILE5_34-65-ge64f6d71>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Sat Sep 1 15:52:02 2018 +0000
+
+    Fix use-after-free (https://runtimeverification.com/). The free code was
+    never changed when the mlist was changed from a NULL-terminated list to
+    a circular one.
+
+--- a/src/apprentice.c
++++ b/src/apprentice.c
+@@ -586,6 +586,14 @@
+ }
+ 
+ private void
++mlist_free_one(struct mlist *ml)
++{
++	if (ml->map)
++		apprentice_unmap(CAST(struct magic_map *, ml->map));
++	free(ml);
++}
++
++private void
+ mlist_free(struct mlist *mlist)
+ {
+ 	struct mlist *ml, *next;
+@@ -593,14 +601,11 @@
+ 	if (mlist == NULL)
+ 		return;
+ 
+-	ml = mlist->next;
+-	for (ml = mlist->next; (next = ml->next) != NULL; ml = next) {
+-		if (ml->map)
+-			apprentice_unmap(CAST(struct magic_map *, ml->map));
+-		free(ml);
+-		if (ml == mlist)
+-			break;
++	for (ml = mlist->next; ml != mlist; ml = next) {
++		next = ml->next;
++		mlist_free_one(ml);
+ 	}
++	mlist_free_one(mlist);
+ }
+ 
+ #ifndef COMPILE_ONLY

debian/patches/cherry-pick.FILE5_34-87-g765d2990.pr-48-tianxiaogu-avoid-zerodivide.patch

@@ -0,0 +1,16 @@
+Subject: PR/48: tianxiaogu: Avoid zerodivide
+Origin: FILE5_34-87-g765d2990 <https://github.com/file/file/commit/FILE5_34-87-g765d2990>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Oct 10 17:41:10 2018 +0000
+
+--- a/src/apprentice.c
++++ b/src/apprentice.c
+@@ -831,6 +831,8 @@
+ 		break;
+ 
+ 	case FILE_SEARCH:
++		if (m->vallen == 0)
++			break;
+ 		val += m->vallen * MAX(MULT / m->vallen, 1);
+ 		break;
+ 

debian/patches/cherry-pick.FILE5_35-1-g338cc788.return-0-instead-of-1-for-error-in-donote.patch

@@ -0,0 +1,27 @@
+Subject: Return 0 instead of -1 for error in donote
+Origin: FILE5_35-1-g338cc788 <https://github.com/file/file/commit/FILE5_35-1-g338cc788>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Fri Oct 19 00:26:08 2018 +0000
+
+    - C++ cast
+    - return 0 instead of -1 for error in donote
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -1037,14 +1037,14 @@
+ 	if (namesz & 0x80000000) {
+ 		if (file_printf(ms, ", bad note name size 0x%lxx",
+ 		    CAST(unsigned long, namesz)) == -1)
+-			return -1;
++			return 0;
+ 	    return 0;
+ 	}
+ 
+ 	if (descsz & 0x80000000) {
+ 		if (file_printf(ms, ", bad note description size 0x%lx",
+ 		    CAST(unsigned long, descsz)) == -1)
+-		    	return -1;
++		    	return 0;
+ 	    return 0;
+ 	}
+ 

debian/patches/cherry-pick.FILE5_35-2-g8d68fb4f.lint-fixes.patch

@@ -0,0 +1,41 @@
+Subject: Lint fixes
+Origin: FILE5_35-2-g8d68fb4f <https://github.com/file/file/commit/FILE5_35-2-g8d68fb4f>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Fri Oct 19 00:26:26 2018 +0000
+
+--- a/src/apprentice.c
++++ b/src/apprentice.c
+@@ -297,9 +297,9 @@
+ 
+ private off_t
+ maxoff_t(void) {
+-	if (sizeof(off_t) == sizeof(int))
++	if (/*CONSTCOND*/sizeof(off_t) == sizeof(int))
+ 		return CAST(off_t, INT_MAX);
+-	if (sizeof(off_t) == sizeof(long))
++	if (/*CONSTCOND*/sizeof(off_t) == sizeof(long))
+ 		return CAST(off_t, LONG_MAX);
+ 	return 0x7fffffff;
+ }
+--- a/src/compress.c
++++ b/src/compress.c
+@@ -397,7 +397,7 @@
+ #else
+ 	{
+ 		int te;
+-		int ou = umask(0);
++		mode_t ou = umask(0);
+ 		tfd = mkstemp(buf);
+ 		(void)umask(ou);
+ 		te = errno;
+--- a/src/file.h
++++ b/src/file.h
+@@ -369,7 +369,7 @@
+ #define CCAST(T, b)	const_cast<T>(b)
+ #else
+ #define CAST(T, b)	((T)(b))
+-#define RCAST(T, b)	((T)(b))
++#define RCAST(T, b)	((T)(void *)(b))
+ #define CCAST(T, b)	((T)(uintptr_t)(b))
+ #endif
+ 

debian/patches/cherry-pick.FILE5_35-25-g48052fcf.fix-cut-n-pasto-for-regex-max-vsevolod-stakhov.patch

@@ -0,0 +1,16 @@
+Subject: Fix cut-n-pasto for regex_max (Vsevolod Stakhov)
+Origin: FILE5_35-25-g48052fcf <https://github.com/file/file/commit/FILE5_35-25-g48052fcf>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue Dec 11 14:41:11 2018 +0000
+
+--- a/src/magic.c
++++ b/src/magic.c
+@@ -600,7 +600,7 @@
+ 		ms->elf_notes_max = (uint16_t)*(const size_t *)val;
+ 		return 0;
+ 	case MAGIC_PARAM_REGEX_MAX:
+-		ms->elf_notes_max = (uint16_t)*(const size_t *)val;
++		ms->elf_regex_max = (uint16_t)*(const size_t *)val;
+ 		return 0;
+ 	case MAGIC_PARAM_BYTES_MAX:
+ 		ms->bytes_max = *(const size_t *)val;

debian/patches/cherry-pick.FILE5_35-26-g98f29456.fix-name.patch

@@ -0,0 +1,16 @@
+Subject: Fix name
+Origin: FILE5_35-26-g98f29456 <https://github.com/file/file/commit/FILE5_35-26-g98f29456>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue Dec 11 21:10:33 2018 +0000
+
+--- a/src/magic.c
++++ b/src/magic.c
+@@ -600,7 +600,7 @@
+ 		ms->elf_notes_max = (uint16_t)*(const size_t *)val;
+ 		return 0;
+ 	case MAGIC_PARAM_REGEX_MAX:
+-		ms->elf_regex_max = (uint16_t)*(const size_t *)val;
++		ms->regex_max = (uint16_t)*(const size_t *)val;
+ 		return 0;
+ 	case MAGIC_PARAM_BYTES_MAX:
+ 		ms->bytes_max = *(const size_t *)val;

debian/patches/cherry-pick.FILE5_35-3-gc7d910ee.more-lint-fixes.patch

@@ -0,0 +1,16 @@
+Subject: More lint fixes
+Origin: FILE5_35-3-gc7d910ee <https://github.com/file/file/commit/FILE5_35-3-gc7d910ee>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Fri Oct 19 00:33:04 2018 +0000
+
+--- a/src/file.h
++++ b/src/file.h
+@@ -369,7 +369,7 @@
+ #define CCAST(T, b)	const_cast<T>(b)
+ #else
+ #define CAST(T, b)	((T)(b))
+-#define RCAST(T, b)	((T)(void *)(b))
++#define RCAST(T, b)	((T)(uintptr_t)(b))
+ #define CCAST(T, b)	((T)(uintptr_t)(b))
+ #endif
+ 

debian/patches/cherry-pick.FILE5_35-49-g3a6f62e2.fix-indirect-offset-overflow-calculation-b.patch

@@ -0,0 +1,57 @@
+Subject: Fix indirect offset overflow calculation (B. Watson)
+Origin: FILE5_35-49-g3a6f62e2 <https://github.com/file/file/commit/FILE5_35-49-g3a6f62e2>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Thu Feb 14 00:25:59 2019 +0000
+
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -1384,33 +1384,47 @@
+ 		if (m->in_op & FILE_OPINDIRECT) {
+ 			const union VALUETYPE *q = CAST(const union VALUETYPE *,
+ 			    ((const void *)(s + offset + off)));
+-			if (OFFSET_OOB(nbytes, offset + off, sizeof(*q)))
+-				return 0;
+ 			switch (cvt_flip(m->in_type, flip)) {
+ 			case FILE_BYTE:
++				if (OFFSET_OOB(nbytes, offset + off, 1))
++					return 0;
+ 				off = SEXT(sgn,8,q->b);
+ 				break;
+ 			case FILE_SHORT:
++				if (OFFSET_OOB(nbytes, offset + off, 2))
++					return 0;
+ 				off = SEXT(sgn,16,q->h);
+ 				break;
+ 			case FILE_BESHORT:
++				if (OFFSET_OOB(nbytes, offset + off, 2))
++					return 0;
+ 				off = SEXT(sgn,16,BE16(q));
+ 				break;
+ 			case FILE_LESHORT:
++				if (OFFSET_OOB(nbytes, offset + off, 2))
++					return 0;
+ 				off = SEXT(sgn,16,LE16(q));
+ 				break;
+ 			case FILE_LONG:
++				if (OFFSET_OOB(nbytes, offset + off, 4))
++					return 0;
+ 				off = SEXT(sgn,32,q->l);
+ 				break;
+ 			case FILE_BELONG:
+ 			case FILE_BEID3:
++				if (OFFSET_OOB(nbytes, offset + off, 4))
++					return 0;
+ 				off = SEXT(sgn,32,BE32(q));
+ 				break;
+ 			case FILE_LEID3:
+ 			case FILE_LELONG:
++				if (OFFSET_OOB(nbytes, offset + off, 4))
++					return 0;
+ 				off = SEXT(sgn,32,LE32(q));
+ 				break;
+ 			case FILE_MELONG:
++				if (OFFSET_OOB(nbytes, offset + off, 4))
++					return 0;
+ 				off = SEXT(sgn,32,ME32(q));
+ 				break;
+ 			}

debian/patches/cherry-pick.FILE5_35-53-gd6578152.pr-62-spinpx-limit-size-of-file-printable.patch

@@ -0,0 +1,100 @@
+Subject: PR/62: spinpx: limit size of file_printable
+ID: CVE-2019-8905 CVE-2019-8907
+Origin: FILE5_35-53-gd6578152 <https://github.com/file/file/commit/FILE5_35-53-gd6578152>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Mon Feb 18 17:46:56 2019 +0000
+Bug-Debian: https://bugs.debian.org/901351
+
+--- a/src/file.h
++++ b/src/file.h
+@@ -491,7 +491,7 @@
+     size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
++protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+     size_t);
+--- a/src/funcs.c
++++ b/src/funcs.c
+@@ -581,12 +581,13 @@
+  * convert string to ascii printable format.
+  */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+-	char *ptr, *eptr;
++	char *ptr, *eptr = buf + bufsiz - 1;
+ 	const unsigned char *s = (const unsigned char *)str;
++	const unsigned char *es = s + slen;
+ 
+-	for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
++	for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
+ 		if (isprint(*s)) {
+ 			*ptr++ = *s;
+ 			continue;
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -725,7 +725,7 @@
+ 			 */
+ 			if (file_printf(ms, ", from '%.31s'",
+ 			    file_printable(sbuf, sizeof(sbuf),
+-			    (const char *)&nbuf[doff + 0x7c])) == -1)
++			    (const char *)&nbuf[doff + 0x7c], 32)) == -1)
+ 				return 1;
+ 			
+ 			/*
+@@ -1543,7 +1543,8 @@
+ 		return -1;
+ 	if (interp[0])
+ 		if (file_printf(ms, ", interpreter %s",
+-		    file_printable(ibuf, sizeof(ibuf), interp)) == -1)
++		    file_printable(ibuf, sizeof(ibuf), interp, strlen(interp)))
++			== -1)
+ 			return -1;
+ 	return 0;
+ }
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -544,8 +544,8 @@
+   	case FILE_LESTRING16:
+ 		if (m->reln == '=' || m->reln == '!') {
+ 			if (file_printf(ms, F(ms, m, "%s"), 
+-			    file_printable(sbuf, sizeof(sbuf), m->value.s))
+-			    == -1)
++			    file_printable(sbuf, sizeof(sbuf), m->value.s,
++			    sizeof(m->value.s))) == -1)
+ 				return -1;
+ 			t = ms->offset + m->vallen;
+ 		}
+@@ -572,7 +572,8 @@
+ 			}
+ 
+ 			if (file_printf(ms, F(ms, m, "%s"),
+-			    file_printable(sbuf, sizeof(sbuf), str)) == -1)
++			    file_printable(sbuf, sizeof(sbuf), str,
++				sizeof(p->s) - (str - p->s))) == -1)
+ 				return -1;
+ 
+ 			if (m->type == FILE_PSTRING)
+@@ -678,7 +679,7 @@
+ 			return -1;
+ 		}
+ 		rval = file_printf(ms, F(ms, m, "%s"),
+-		    file_printable(sbuf, sizeof(sbuf), cp));
++		    file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+ 		free(cp);
+ 
+ 		if (rval == -1)
+@@ -705,7 +706,8 @@
+ 		break;
+ 	case FILE_DER:
+ 		if (file_printf(ms, F(ms, m, "%s"), 
+-		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
++		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
++			sizeof(ms->ms_value.s))) == -1)
+ 			return -1;
+ 		t = ms->offset;
+ 		break;

debian/patches/cherry-pick.FILE5_35-56-gf0a26da7.pr-61-tmc-add-ucs-32-built-in-detection.patch

@@ -0,0 +1,117 @@
+Subject: PR/61: tmc: Add UCS-32 built-in detection
+Origin: FILE5_35-56-gf0a26da7 <https://github.com/file/file/commit/FILE5_35-56-gf0a26da7>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue Feb 19 20:30:35 2019 +0000
+Comment: Prerequisite for FILE5_36-1-gecca6e54
+
+--- a/src/encoding.c
++++ b/src/encoding.c
+@@ -49,6 +49,7 @@
+     size_t *);
+ private int looks_utf7(const unsigned char *, size_t, unichar *, size_t *);
+ private int looks_ucs16(const unsigned char *, size_t, unichar *, size_t *);
++private int looks_ucs32(const unsigned char *, size_t, unichar *, size_t *);
+ private int looks_latin1(const unsigned char *, size_t, unichar *, size_t *);
+ private int looks_extended(const unsigned char *, size_t, unichar *, size_t *);
+ private void from_ebcdic(const unsigned char *, size_t, unsigned char *);
+@@ -106,6 +107,15 @@
+ 		DPRINTF(("utf8 %" SIZE_T_FORMAT "u\n", *ulen));
+ 		*code = "UTF-8 Unicode";
+ 		*code_mime = "utf-8";
++	} else if ((ucs_type = looks_ucs32(buf, nbytes, *ubuf, ulen)) != 0) {
++		if (ucs_type == 1) {
++			*code = "Little-endian UTF-32 Unicode";
++			*code_mime = "utf-32le";
++		} else {
++			*code = "Big-endian UTF-32 Unicode";
++			*code_mime = "utf-32be";
++		}
++		DPRINTF(("ucs32 %" SIZE_T_FORMAT "u\n", *ulen));
+ 	} else if ((ucs_type = looks_ucs16(buf, nbytes, *ubuf, ulen)) != 0) {
+ 		if (ucs_type == 1) {
+ 			*code = "Little-endian UTF-16 Unicode";
+@@ -398,7 +408,7 @@
+ }
+ 
+ private int
+-looks_ucs16(const unsigned char *buf, size_t nbytes, unichar *ubuf,
++looks_ucs16(const unsigned char *bf, size_t nbytes, unichar *ubf,
+     size_t *ulen)
+ {
+ 	int bigend;
+@@ -407,9 +417,9 @@
+ 	if (nbytes < 2)
+ 		return 0;
+ 
+-	if (buf[0] == 0xff && buf[1] == 0xfe)
++	if (bf[0] == 0xff && bf[1] == 0xfe)
+ 		bigend = 0;
+-	else if (buf[0] == 0xfe && buf[1] == 0xff)
++	else if (bf[0] == 0xfe && bf[1] == 0xff)
+ 		bigend = 1;
+ 	else
+ 		return 0;
+@@ -420,20 +430,58 @@
+ 		/* XXX fix to properly handle chars > 65536 */
+ 
+ 		if (bigend)
+-			ubuf[(*ulen)++] = buf[i + 1] + 256 * buf[i];
++			ubf[(*ulen)++] = bf[i + 1] + 256 * bf[i];
+ 		else
+-			ubuf[(*ulen)++] = buf[i] + 256 * buf[i + 1];
++			ubf[(*ulen)++] = bf[i] + 256 * bf[i + 1];
+ 
+-		if (ubuf[*ulen - 1] == 0xfffe)
++		if (ubf[*ulen - 1] == 0xfffe)
+ 			return 0;
+-		if (ubuf[*ulen - 1] < 128 &&
+-		    text_chars[(size_t)ubuf[*ulen - 1]] != T)
++		if (ubf[*ulen - 1] < 128 &&
++		    text_chars[(size_t)ubf[*ulen - 1]] != T)
+ 			return 0;
+ 	}
+ 
+ 	return 1 + bigend;
+ }
+ 
++private int
++looks_ucs32(const unsigned char *bf, size_t nbytes, unichar *ubf,
++    size_t *ulen)
++{
++	int bigend;
++	size_t i;
++
++	if (nbytes < 4)
++		return 0;
++
++	if (bf[0] == 0xff && bf[1] == 0xfe && bf[2] == 0 && bf[3] == 0)
++		bigend = 0;
++	else if (bf[0] == 0 && bf[1] == 0 && bf[2] == 0xfe && bf[3] == 0xff)
++		bigend = 1;
++	else
++		return 0;
++
++	*ulen = 0;
++
++	for (i = 4; i + 1 < nbytes; i += 4) {
++		/* XXX fix to properly handle chars > 65536 */
++
++		if (bigend)
++			ubf[(*ulen)++] = bf[i + 3] | (bf[i + 2] << 8)
++			    | (bf[i + 1] << 16) | bf[i] << 24;
++		else
++			ubf[(*ulen)++] = bf[i] | (bf[i + 1] << 8) 
++			    | (bf[i + 2] << 16) | (bf[i + 3] << 24);
++
++		if (ubf[*ulen - 1] == 0xfffe)
++			return 0;
++		if (ubf[*ulen - 1] < 128 &&
++		    text_chars[(size_t)ubf[*ulen - 1]] != T)
++			return 0;
++	}
++
++	return 1 + bigend;
++}
+ #undef F
+ #undef T
+ #undef I

debian/patches/cherry-pick.FILE5_36-1-gecca6e54.fix-casts-and-bounds-check-found-by-oss-fuzz.patch

@@ -0,0 +1,40 @@
+Subject: Fix casts and bounds check (found by oss-fuzz)
+Origin: FILE5_36-1-gecca6e54 <https://github.com/file/file/commit/FILE5_36-1-gecca6e54>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Feb 20 16:15:47 2019 +0000
+
+--- a/src/encoding.c
++++ b/src/encoding.c
+@@ -430,9 +430,9 @@
+ 		/* XXX fix to properly handle chars > 65536 */
+ 
+ 		if (bigend)
+-			ubf[(*ulen)++] = bf[i + 1] + 256 * bf[i];
++			ubf[(*ulen)++] = bf[i + 1] + (bf[i] << 8);
+ 		else
+-			ubf[(*ulen)++] = bf[i] + 256 * bf[i + 1];
++			ubf[(*ulen)++] = bf[i] + (bf[i + 1] << 8);
+ 
+ 		if (ubf[*ulen - 1] == 0xfffe)
+ 			return 0;
+@@ -463,15 +463,17 @@
+ 
+ 	*ulen = 0;
+ 
+-	for (i = 4; i + 1 < nbytes; i += 4) {
++	for (i = 4; i + 3 < nbytes; i += 4) {
+ 		/* XXX fix to properly handle chars > 65536 */
+ 
+ 		if (bigend)
+ 			ubf[(*ulen)++] = bf[i + 3] | (bf[i + 2] << 8)
+-			    | (bf[i + 1] << 16) | bf[i] << 24;
++			    | (bf[i + 1] << 16)
++			    | CAST(unichar, bf[i] << 24);
+ 		else
+ 			ubf[(*ulen)++] = bf[i] | (bf[i + 1] << 8) 
+-			    | (bf[i + 2] << 16) | (bf[i + 3] << 24);
++			    | (bf[i + 2] << 16)
++			    | CAST(unichar, bf[i + 3] << 24);
+ 
+ 		if (ubf[*ulen - 1] == 0xfffe)
+ 			return 0;

debian/patches/cherry-pick.FILE5_36-24-g9b2f9d6a.cast-to-unsigned-first-to-appease-ubsan-oss-fuzz.patch

@@ -0,0 +1,21 @@
+Subject: Cast to unsigned first to appease ubsan (oss-fuzz)
+Origin: FILE5_36-24-g9b2f9d6a <https://github.com/file/file/commit/FILE5_36-24-g9b2f9d6a>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Sat Feb 23 21:54:05 2019 +0000
+
+--- a/src/encoding.c
++++ b/src/encoding.c
+@@ -469,11 +469,11 @@
+ 		if (bigend)
+ 			ubf[(*ulen)++] = bf[i + 3] | (bf[i + 2] << 8)
+ 			    | (bf[i + 1] << 16)
+-			    | CAST(unichar, bf[i] << 24);
++			    | (CAST(unichar, bf[i]) << 24);
+ 		else
+ 			ubf[(*ulen)++] = bf[i] | (bf[i + 1] << 8) 
+ 			    | (bf[i + 2] << 16)
+-			    | CAST(unichar, bf[i + 3] << 24);
++			    | (CAST(unichar, bf[i + 3]) << 24);
+ 
+ 		if (ubf[*ulen - 1] == 0xfffe)
+ 			return 0;

debian/patches/local.support-local-definitions-in-etc-magic.patch

@@ -25,8 +25,8 @@ Last-Update: 2016-06-27
 +
 --- a/src/apprentice.c
 +++ b/src/apprentice.c
-@@ -454,7 +454,7 @@
- 	if (map == (struct magic_map *)-1)
+@@ -458,7 +458,7 @@
+ 	if (map == RCAST(struct magic_map *, -1))
  		return -1;
  	if (map == NULL) {
 -		if (ms->flags & MAGIC_CHECK)

debian/patches/series

@@ -25,8 +25,40 @@ cherry-pick.FILE5_30-47-gdc067431.fix-continuation-level-handling.patch
 cherry-pick.FILE5_30-48-gaee11eef.fix-out-of-bounds-read-found-by-oss-fuzz.patch
 cherry-pick.FILE5_30-49-gbf90083a.fix-memory-handling.patch
 cherry-pick.FILE5_30-52-gd8233d09.check-one-more-read-found-by-oss-fuzz.patch
+cherry-pick.FILE5_30-56-g6623a8e0.off-by-one-reading-offset-found-by-oss-fuzz.patch
+
+cherry-pick.FILE5_31-21-g55cb70a2.add-another-bounds-check-oss-fuzz-issue-2242.patch
 cherry-pick.FILE5_31-36-g35c94dc6.Fix-always-true-condition-Thomas-Jarosch.patch
+
+cherry-pick.FILE5_32-61-gfb956c0a.decrease-the-sector-limit-oss-fuzz-4577.patch
+cherry-pick.FILE5_32-65-gfc4b6e34.drop-the-limit-lower-to-satisfy-oss-fuzz-4682.patch
+
 cherry-pick.FILE5_33-31-ga642587a.avoid-reading-past-the-end-of-buffer.patch
+cherry-pick.FILE5_33-34-g72e9a7fe.pr-6-tobias-out-of-boundary-read-in-der-parser.patch
+
+cherry-pick.FILE5_34-13-gcd752e7c.try-to-use-the-right-off-t-max.patch
+cherry-pick.FILE5_34-15-ge0805be4.fix-leak-on-error-found-by-coverity.patch
+cherry-pick.FILE5_34-16-g2f866ff0.better-error-handling-found-by-coverity.patch
+cherry-pick.FILE5_34-17-g54bec4a0.eliminate-toctou-by-using-fstat-and-always-opening-with-non-blocking-i-o.patch
+cherry-pick.FILE5_34-18-gbd8fafe3.check-file-printf.patch
+cherry-pick.FILE5_34-19-gfda25acb.appease-coverity-by-calling-umask-around-mkstemp-3.patch
+cherry-pick.FILE5_34-22-g7b807237.portability-fix-dont-call-qsort-with-null-0.patch
+cherry-pick.FILE5_34-32-g813f1b8a.correct-error-handling-for-file-printf-coverity.patch
+cherry-pick.FILE5_34-65-ge64f6d71.fix-use-after-free-https-runtimeverification-com.patch
+cherry-pick.FILE5_34-87-g765d2990.pr-48-tianxiaogu-avoid-zerodivide.patch
+
+cherry-pick.FILE5_35-1-g338cc788.return-0-instead-of-1-for-error-in-donote.patch
+cherry-pick.FILE5_35-2-g8d68fb4f.lint-fixes.patch
+cherry-pick.FILE5_35-3-gc7d910ee.more-lint-fixes.patch
+cherry-pick.FILE5_35-25-g48052fcf.fix-cut-n-pasto-for-regex-max-vsevolod-stakhov.patch
+cherry-pick.FILE5_35-26-g98f29456.fix-name.patch
+cherry-pick.FILE5_35-49-g3a6f62e2.fix-indirect-offset-overflow-calculation-b.patch
+cherry-pick.FILE5_35-53-gd6578152.pr-62-spinpx-limit-size-of-file-printable.patch
+cherry-pick.FILE5_35-56-gf0a26da7.pr-61-tmc-add-ucs-32-built-in-detection.patch
+cherry-pick.FILE5_35-59-g8305d1cc.use-c-casts-everywhere.patch
+
+cherry-pick.FILE5_36-1-gecca6e54.fix-casts-and-bounds-check-found-by-oss-fuzz.patch
+cherry-pick.FILE5_36-24-g9b2f9d6a.cast-to-unsigned-first-to-appease-ubsan-oss-fuzz.patch
 
 # local modifications
 local.support-local-definitions-in-etc-magic.patch