git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Browse Source

Fix several security issues, Closes: #773148

- CVE-2014-8116
  The ELF parser (readelf.c) in file before 5.21 allows remote attackers ...
- CVE-2014-8117
  softmagic.c in file before 5.21 does not properly limit recursion
- TEMP-0000000-B67840
  Limit the number of ELF notes processed - DoS
- TEMP-0000000-C482B4
  out-of-bounds memory access
- TEMP-0000000-E110B2
  Limit string printing to 100 chars - DoS

Cherry-picks upstream commits:

- FILE5_11-8-g0de3251   (prerequisite for CVE-2014-8117)
- FILE5_12-64-gd68a455  (prerequisite for TEMP-0000000-B67840)
- FILE5_14-67-g9b5bdd7  (prerequisite for TEMP-0000000-B67840)
- FILE5_15-9-gc8451af   (prerequisite for TEMP-0000000-B67840)
- FILE5_17-8-gc0c0032   (prerequisite for CVE-2014-8117)
- FILE5_20-21-g59e6383  (TEMP-0000000-C482B4)
- FILE5_20-27-gb4c0114  (CVE-2014-8116)
- FILE5_20-28-gd7cdad0  (CVE-2014-8116)
- FILE5_20-29-g6f737dd  (CVE-2014-8117)
- FILE5_20-33-g8a90571  (prerequisite for TEMP-0000000-B67840)
- FILE5_20-34-g90018fe  (regression in fix for CVE-2014-8117)
- FILE5_20-35-g5063ca3  (amendment for CVE-2014-8117)
- FILE5_20-36-g6ce24f3  (prerequisite for TEMP-0000000-B67840)
- FILE5_20-37-g0056ec3  (prerequisite for TEMP-0000000-B67840)
- FILE5_20-38-gaf444af  (prerequisite for TEMP-0000000-B67840)
- FILE5_20-40-g09e4162  (prerequisite for TEMP-0000000-B67840)
- FILE5_20-42-g6bf4527  (CVE-2014-8117)
- FILE5_20-47-g68bd843  (prerequisite for TEMP-0000000-B67840)
- FILE5_21              (prerequisite for TEMP-0000000-B67840)
- FILE5_21-10-g445c8fb  (prerequisite for TEMP-0000000-B67840)
- FILE5_21-12-gce90e05  (TEMP-0000000-B67840)
- FILE5_21-13-g65437ce  (TEMP-0000000-E110B2)
Christoph Biedl 10 years ago
parent
bb4a9759d0
commit
d77c466d55
23 changed files with 3593 additions and 0 deletions
Split View Show Diff Stats
  1. 109 0
      debian/patches/CVE-2014-8116.1.b4c0114.patch
  2. 37 0
      debian/patches/CVE-2014-8116.2.d7cdad0.patch
  3. 56 0
      debian/patches/CVE-2014-8117.1.0de3251.patch
  4. 29 0
      debian/patches/CVE-2014-8117.2.c0c0032.patch
  5. 145 0
      debian/patches/CVE-2014-8117.3.6f737dd.patch
  6. 210 0
      debian/patches/CVE-2014-8117.4.90018fe.patch
  7. 77 0
      debian/patches/CVE-2014-8117.5.5063ca3.patch
  8. 20 0
      debian/patches/CVE-2014-8117.6.6bf4527.patch
  9. 313 0
      debian/patches/TEMP-0000000-B67840.1.d68a455.patch
  10. 26 0
      debian/patches/TEMP-0000000-B67840.10.dddd3cd.patch
  11. 56 0
      debian/patches/TEMP-0000000-B67840.11.445c8fb.patch
  12. 799 0
      debian/patches/TEMP-0000000-B67840.12.ce90e05.patch
  13. 85 0
      debian/patches/TEMP-0000000-B67840.2.9b5bdd7.patch
  14. 334 0
      debian/patches/TEMP-0000000-B67840.3.c8451af.patch
  15. 23 0
      debian/patches/TEMP-0000000-B67840.4.8a90571.patch
  16. 474 0
      debian/patches/TEMP-0000000-B67840.5.6ce24f3.patch
  17. 262 0
      debian/patches/TEMP-0000000-B67840.6.0056ec3.patch
  18. 28 0
      debian/patches/TEMP-0000000-B67840.7.09e4162.patch
  19. 346 0
      debian/patches/TEMP-0000000-B67840.8.af444af.patch
  20. 59 0
      debian/patches/TEMP-0000000-B67840.9.68bd843.patch
  21. 34 0
      debian/patches/TEMP-0000000-C482B4.59e6383.patch
  22. 48 0
      debian/patches/TEMP-0000000-E110B2.65437ce.patch
  23. 23 0
      debian/patches/series

+ 109 - 0
debian/patches/CVE-2014-8116.1.b4c0114.patch
View File 

@@ -0,0 +1,109 @@
 
+Subject: Limit the number of program and section header number of sections to be (...)
 
+ID: CVE-2014-8116
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Sat Nov 22 16:04:29 2014 +0000
 
+Origin: FILE5_20-27-gb4c0114
 
+Last-Update: 2015-01-05
 
+
 
+    - limit the number of program and section header number of sections to be
 
+      processed to avoid excessive processing time.
 
+    - if a bad note is found, return 0 to stop processing immediately.
 
+
 
+diff --git a/src/elfclass.h b/src/elfclass.h
 
+index 010958a..0826ce3 100644
 
+--- a/src/elfclass.h
 
++++ b/src/elfclass.h
 
+@@ -35,10 +35,12 @@
 
+ 	switch (type) {
 
+ #ifdef ELFCORE
 
+ 	case ET_CORE:
 
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
++		if (phnum > MAX_PHNUM)
 
++			return toomany(ms, "program", phnum);
 
+ 		flags |= FLAGS_IS_CORE;
 
+ 		if (dophn_core(ms, clazz, swap, fd,
 
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
 
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
 
+ 		    fsize, &flags) == -1)
 
+ 			return -1;
 
+@@ -46,18 +48,24 @@
 
+ #endif
 
+ 	case ET_EXEC:
 
+ 	case ET_DYN:
 
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
++		if (phnum > MAX_PHNUM)
 
++			return toomany(ms, "program", phnum);
 
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
++		if (shnum > MAX_SHNUM)
 
++			return toomany(ms, "section", shnum);
 
+ 		if (dophn_exec(ms, clazz, swap, fd,
 
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
 
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
 
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
 
+-		    == -1)
 
++		    fsize, &flags, shnum) == -1)
 
+ 			return -1;
 
+ 		/*FALLTHROUGH*/
 
+ 	case ET_REL:
 
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
++		if (shnum > MAX_SHNUM)
 
++			return toomany(ms, "section", shnum);
 
+ 		if (doshn(ms, clazz, swap, fd,
 
+-		    (off_t)elf_getu(swap, elfhdr.e_shoff),
 
+-		    elf_getu16(swap, elfhdr.e_shnum),
 
++		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
 
+ 		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
 
+ 		    (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index 18dacdd..5a6dd41 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -60,6 +60,18 @@ private uint16_t getu16(int, uint16_t);
 
+ private uint32_t getu32(int, uint32_t);
 
+ private uint64_t getu64(int, uint64_t);
 
+ 
++#define MAX_PHNUM	256
 
++#define	MAX_SHNUM	1024
 
++
 
++private int
 
++toomany(struct magic_set *ms, const char *name, uint16_t num)
 
++{
 
++	if (file_printf(ms, ", too many %s header sections (%u)", name, num
 
++	    ) == -1)
 
++		return -1;
 
++	return 0;
 
++}
 
++
 
+ private uint16_t
 
+ getu16(int swap, uint16_t value)
 
+ {
 
+@@ -507,13 +519,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+ 	if (namesz & 0x80000000) {
 
+ 	    (void)file_printf(ms, ", bad note name size 0x%lx",
 
+ 		(unsigned long)namesz);
 
+-	    return offset;
 
++	    return 0;
 
+ 	}
 
+ 
+ 	if (descsz & 0x80000000) {
 
+ 	    (void)file_printf(ms, ", bad note description size 0x%lx",
 
+ 		(unsigned long)descsz);
 
+-	    return offset;
 
++	    return 0;
 
+ 	}
 
+ 
+ 
+@@ -1198,7 +1210,7 @@ file_tryelf(struct magic_set *ms, int fd, const unsigned char *buf,
 
+ 	int flags = 0;
 
+ 	Elf32_Ehdr elf32hdr;
 
+ 	Elf64_Ehdr elf64hdr;
 
+-	uint16_t type;
 
++	uint16_t type, phnum, shnum;
 
+ 
+ 	if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
 
+ 		return 0;

+ 37 - 0
debian/patches/CVE-2014-8116.2.d7cdad0.patch
View File 

@@ -0,0 +1,37 @@
 
+Subject: Stop reporting bad capabilities after the first few
 
+ID: CVE-2014-8116
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Sat Nov 22 23:57:44 2014 +0000
 
+Origin: FILE5_20-28-gd7cdad0
 
+Last-Update: 2015-01-05
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index 5a6dd41..e0b252d 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -923,6 +923,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 	Elf32_Shdr sh32;
 
+ 	Elf64_Shdr sh64;
 
+ 	int stripped = 1;
 
++	size_t nbadcap = 0;
 
+ 	void *nbuf;
 
+ 	off_t noff, coff, name_off;
 
+ 	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
 
+@@ -995,6 +996,8 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 			free(nbuf);
 
+ 			break;
 
+ 		case SHT_SUNW_cap:
 
++			if (nbadcap > 5)
 
++				break;
 
+ 			if (lseek(fd, (off_t)xsh_offset, SEEK_SET) ==
 
+ 			    (off_t)-1) {
 
+ 				file_badseek(ms);
 
+@@ -1031,6 +1034,8 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 					    (unsigned long long)xcap_tag,
 
+ 					    (unsigned long long)xcap_val) == -1)
 
+ 						return -1;
 
++					if (nbadcap++ > 2)
 
++						coff = xsh_size;
 
+ 					break;
 
+ 				}
 
+ 			}

+ 56 - 0
debian/patches/CVE-2014-8117.1.0de3251.patch
View File 

@@ -0,0 +1,56 @@
 
+Subject: Only print the description for indirect offsets if a match was found, and add the offset as the number to print
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Fri Apr 6 21:15:54 2012 +0000
 
+Origin: FILE5_11-8-g0de3251
 
+Last-Update: 2015-01-05
 
+
 
+    - only print the description for indirect offsets if a match was found,
 
+    and add the offset as the number to print.
 
+
 
+(prequisite for CVE-2014-8117)
 
+
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index c77b619..bcd7f02 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -1041,6 +1041,8 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+     int recursion_level)
 
+ {
 
+ 	uint32_t offset = ms->offset;
 
++	int rv;
 
++	char *sbuf, *rbuf;
 
+ 	union VALUETYPE *p = &ms->ms_value;
 
+ 
+         if (recursion_level >= 20) {
 
+@@ -1604,13 +1606,26 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 	case FILE_INDIRECT:
 
+ 		if (offset == 0)
 
+ 			return 0;
 
+-	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 
+-		    file_printf(ms, "%s", m->desc) == -1)
 
+-			return -1;
 
+-		if (OFFSET_OOB(nbytes, offset, 0))
 
++		if (nbytes < offset)
 
+ 			return 0;
 
+-		return file_softmagic(ms, s + offset, nbytes - offset,
 
++		sbuf = ms->o.buf;
 
++		ms->o.buf = NULL;
 
++		rv = file_softmagic(ms, s + offset, nbytes - offset,
 
+ 		    recursion_level, BINTEST, text);
 
++		if ((ms->flags & MAGIC_DEBUG) != 0)
 
++			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
 
++		if (rv == 1) {
 
++			rbuf = ms->o.buf;
 
++			ms->o.buf = sbuf;
 
++			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 
++			    file_printf(ms, m->desc, offset) == -1)
 
++				return -1;
 
++			if (file_printf(ms, "%s", rbuf) == -1)
 
++				return -1;
 
++			free(rbuf);
 
++		} else
 
++			ms->o.buf = sbuf;
 
++		return rv;
 
+ 
+ 	case FILE_DEFAULT:	/* nothing to check */
 
+ 	default:

+ 29 - 0
debian/patches/CVE-2014-8117.2.c0c0032.patch
View File 

@@ -0,0 +1,29 @@
 
+Subject: Fix memory leak (Anatol Belski)
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Fri Feb 21 14:32:48 2014 +0000
 
+Origin: FILE5_17-8-gc0c0032
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for CVE-2014-8117)
 
+
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index bcd7f02..82603bf 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -1618,10 +1618,14 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 			rbuf = ms->o.buf;
 
+ 			ms->o.buf = sbuf;
 
+ 			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 
+-			    file_printf(ms, m->desc, offset) == -1)
 
++			    file_printf(ms, m->desc, offset) == -1) {
 
++				free(rbuf);
 
+ 				return -1;
 
+-			if (file_printf(ms, "%s", rbuf) == -1)
 
++			}
 
++			if (file_printf(ms, "%s", rbuf) == -1) {
 
++				free(rbuf);
 
+ 				return -1;
 
++			}
 
+ 			free(rbuf);
 
+ 		} else
 
+ 			ms->o.buf = sbuf;

+ 145 - 0
debian/patches/CVE-2014-8117.3.6f737dd.patch
View File 

@@ -0,0 +1,145 @@
 
+Subject: Reduce recursion level from 20 to 10 and make a symbolic constant for it. (...)
 
+ID: CVE-2014-8117
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Sun Nov 23 13:54:27 2014 +0000
 
+Origin: FILE5_20-29-g6f737dd
 
+Last-Update: 2015-01-05
 
+
 
+    - reduce recursion level from 20 to 10 and make a symbolic constant for it.
 
+    - pull out the guts of saving and restoring the output buffer into functions
 
+      and take care not to overwrite the error message if an error happened.
 
+
 
+diff --git a/src/file.h b/src/file.h
 
+index de262b2..6f61643 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -444,6 +444,14 @@ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
 
+ #endif /* __EMX__ */
 
+ 
+ 
++typedef struct {
 
++	char *buf;
 
++	uint32_t offset;
 
++} file_pushbuf_t;
 
++
 
++protected file_pushbuf_t *file_push_buffer(struct magic_set *);
 
++protected char  *file_pop_buffer(struct magic_set *, file_pushbuf_t *);
 
++
 
+ #ifndef COMPILE_ONLY
 
+ extern const char *file_names[];
 
+ extern const size_t file_nnames;
 
+diff --git a/src/funcs.c b/src/funcs.c
 
+index 0d645eb..04bab02 100644
 
+--- a/src/funcs.c
 
++++ b/src/funcs.c
 
+@@ -459,3 +459,43 @@ file_replace(struct magic_set *ms, const char *pat, const char *rep)
 
+ 		return nm;
 
+ 	}
 
+ }
 
++
 
++protected file_pushbuf_t *
 
++file_push_buffer(struct magic_set *ms)
 
++{
 
++	file_pushbuf_t *pb;
 
++
 
++	if (ms->event_flags & EVENT_HAD_ERR)
 
++		return NULL;
 
++
 
++	if ((pb = (CAST(file_pushbuf_t *, malloc(sizeof(*pb))))) == NULL)
 
++		return NULL;
 
++
 
++	pb->buf = ms->o.buf;
 
++	pb->offset = ms->offset;
 
++
 
++	ms->o.buf = NULL;
 
++	ms->offset = 0;
 
++
 
++	return pb;
 
++}
 
++
 
++protected char *
 
++file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
 
++{
 
++	char *rbuf;
 
++
 
++	if (ms->event_flags & EVENT_HAD_ERR) {
 
++		free(pb->buf);
 
++		free(pb);
 
++		return NULL;
 
++	}
 
++
 
++	rbuf = ms->o.buf;
 
++
 
++	ms->o.buf = pb->buf;
 
++	ms->offset = pb->offset;
 
++
 
++	free(pb);
 
++	return rbuf;
 
++}
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index 72eae4b..0ace99f 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -61,6 +61,9 @@ private void cvt_32(union VALUETYPE *, const struct magic *);
 
+ private void cvt_64(union VALUETYPE *, const struct magic *);
 
+ 
+ #define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
 
++
 
++#define MAX_RECURSION_LEVEL	10
 
++
 
+ /*
 
+  * softmagic - lookup one file in parsed, in-memory copy of database
 
+  * Passed the name and FILE * of one file to be typed.
 
+@@ -1044,11 +1047,12 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+     int recursion_level)
 
+ {
 
+ 	uint32_t offset = ms->offset;
 
++	file_pushbuf_t *pb;
 
+ 	int rv;
 
+-	char *sbuf, *rbuf;
 
++	char *rbuf;
 
+ 	union VALUETYPE *p = &ms->ms_value;
 
+ 
+-        if (recursion_level >= 20) {
 
++	if (recursion_level >= MAX_RECURSION_LEVEL) {
 
+                 file_error(ms, 0, "recursion nesting exceeded");
 
+                 return -1;
 
+         }
 
+@@ -1611,15 +1615,21 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 			return 0;
 
+ 		if (nbytes < offset)
 
+ 			return 0;
 
+-		sbuf = ms->o.buf;
 
+-		ms->o.buf = NULL;
 
++
 
++		if ((pb = file_push_buffer(ms)) == NULL)
 
++			return -1;
 
++
 
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
 
+ 		    recursion_level, BINTEST, text);
 
++
 
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
 
++
 
++		rbuf = file_pop_buffer(ms, pb);
 
++		if (rbuf == NULL)
 
++			return -1;
 
++
 
+ 		if (rv == 1) {
 
+-			rbuf = ms->o.buf;
 
+-			ms->o.buf = sbuf;
 
+ 			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 
+ 			    file_printf(ms, m->desc, offset) == -1) {
 
+ 				free(rbuf);
 
+@@ -1629,9 +1639,8 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 				free(rbuf);
 
+ 				return -1;
 
+ 			}
 
+-			free(rbuf);
 
+-		} else
 
+-			ms->o.buf = sbuf;
 
++		}
 
++		free(rbuf);
 
+ 		return rv;
 
+ 
+ 	case FILE_DEFAULT:	/* nothing to check */

+ 210 - 0
debian/patches/CVE-2014-8117.4.90018fe.patch
View File 

@@ -0,0 +1,210 @@
 
+Subject: Bump recursion to 15, and allow it to be set from the command line
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Nov 27 15:40:36 2014 +0000
 
+Origin: FILE5_20-34-g90018fe
 
+Last-Update: 2015-01-05
 
+
 
+diff --git a/src/file.c b/src/file.c
 
+index 408ec63..2f3cf9d 100644
 
+--- a/src/file.c
 
++++ b/src/file.c
 
+@@ -101,7 +101,7 @@ private const struct option long_options[] = {
 
+ #undef OPT_LONGONLY
 
+     {0, 0, NULL, 0}
 
+ };
 
+-#define OPTSTRING	"bcCde:f:F:hiklLm:nNprsvz0"
 
++#define OPTSTRING	"bcCde:f:F:hiklLm:nNprR:svz0"
 
+ 
+ private const struct {
 
+ 	const char *name;
 
+@@ -140,6 +140,7 @@ main(int argc, char *argv[])
 
+ 	size_t i;
 
+ 	int action = 0, didsomefiles = 0, errflg = 0;
 
+ 	int flags = 0, e = 0;
 
++	size_t max_recursion = 0;
 
+ 	struct magic_set *magic = NULL;
 
+ 	int longindex;
 
+ 	const char *magicfile = NULL;		/* where the magic is	*/
 
+@@ -243,6 +244,9 @@ main(int argc, char *argv[])
 
+ 		case 'r':
 
+ 			flags |= MAGIC_RAW;
 
+ 			break;
 
++		case 'R':
 
++			max_recursion = atoi(optarg);
 
++			break;
 
+ 		case 's':
 
+ 			flags |= MAGIC_DEVICES;
 
+ 			break;
 
+@@ -290,6 +294,8 @@ main(int argc, char *argv[])
 
+ 			    strerror(errno));
 
+ 			return 1;
 
+ 		}
 
++
 
++
 
+ 		switch(action) {
 
+ 		case FILE_CHECK:
 
+ 			c = magic_check(magic, magicfile);
 
+@@ -313,6 +319,15 @@ main(int argc, char *argv[])
 
+ 		if (magic == NULL)
 
+ 			if ((magic = load(magicfile, flags)) == NULL)
 
+ 				return 1;
 
++		if (max_recursion) {
 
++			if (magic_setparam(magic, MAGIC_PARAM_MAX_RECURSION,
 
++			    &max_recursion) == -1) {
 
++				(void)fprintf(stderr,
 
++				    "%s: Can't set recurision %s\n", progname,
 
++				    strerror(errno));
 
++				return 1;
 
++			}
 
++		}
 
+ 		break;
 
+ 	}
 
+ 
+diff --git a/src/file.h b/src/file.h
 
+index 6f61643..71a3aeb 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -380,6 +380,8 @@ struct magic_set {
 
+ 	/* FIXME: Make the string dynamically allocated so that e.g.
 
+ 	   strings matched in files can be longer than MAXstring */
 
+ 	union VALUETYPE ms_value;	/* either number or string */
 
++	size_t max_recursion;
 
++#define	FILE_MAX_RECURSION	15
 
+ };
 
+ 
+ /* Type for Unicode characters */
 
+diff --git a/src/file_opts.h b/src/file_opts.h
 
+index 8a17672..4245447 100644
 
+--- a/src/file_opts.h
 
++++ b/src/file_opts.h
 
+@@ -44,6 +44,7 @@ OPT('0', "print0", 0, "               terminate filenames with ASCII NUL\n")
 
+ OPT('p', "preserve-date", 0, "        preserve access times on files\n")
 
+ #endif
 
+ OPT('r', "raw", 0, "                  don't translate unprintable chars to \\ooo\n")
 
++OPT('R', "recursion", 0, "            set maximum recursion level\n")
 
+ OPT('s', "special-files", 0, "        treat special (block/char devices) files as\n"
 
+     "                             ordinary ones\n")
 
+ OPT('C', "compile", 0, "              compile file specified by -m\n")
 
+diff --git a/src/magic.c b/src/magic.c
 
+index 5403951..2a916c7 100644
 
+--- a/src/magic.c
 
++++ b/src/magic.c
 
+@@ -233,6 +233,7 @@ magic_open(int flags)
 
+ 	ms->mlist = NULL;
 
+ 	ms->file = "unknown";
 
+ 	ms->line = 0;
 
++	ms->max_recursion = FILE_MAX_RECURSION;
 
+ 	return ms;
 
+ free:
 
+ 	free(ms);
 
+@@ -511,3 +512,29 @@ magic_setflags(struct magic_set *ms, int flags)
 
+ 	ms->flags = flags;
 
+ 	return 0;
 
+ }
 
++
 
++public int
 
++magic_setparam(struct magic_set *ms, int param, const void *val)
 
++{
 
++	switch (param) {
 
++	case MAGIC_PARAM_MAX_RECURSION:
 
++		ms->max_recursion = *(const size_t *)val;
 
++		return 0;
 
++	default:
 
++		errno = EINVAL;
 
++		return -1;
 
++	}
 
++}
 
++
 
++public int
 
++magic_getparam(struct magic_set *ms, int param, void *val)
 
++{
 
++	switch (param) {
 
++	case MAGIC_PARAM_MAX_RECURSION:
 
++		*(size_t *)val = ms->max_recursion;
 
++		return 0;
 
++	default:
 
++		errno = EINVAL;
 
++		return -1;
 
++	}
 
++}
 
+diff --git a/src/magic.h b/src/magic.h
 
+index 2bbed76..3d9ee8a 100644
 
+--- a/src/magic.h
 
++++ b/src/magic.h
 
+@@ -92,11 +92,17 @@ const char *magic_error(magic_t);
 
+ int magic_setflags(magic_t, int);
 
+ 
+ int magic_load(magic_t, const char *);
 
++int magic_load_buffers(magic_t, void **, size_t *, size_t);
 
++
 
+ int magic_compile(magic_t, const char *);
 
+ int magic_check(magic_t, const char *);
 
+ int magic_list(magic_t, const char *);
 
+ int magic_errno(magic_t);
 
+ 
++#define MAGIC_PARAM_MAX_RECURSION	0
 
++int magic_setparam(magic_t, int, const void *);
 
++int magic_getparam(magic_t, int, void *);
 
++
 
+ #ifdef __cplusplus
 
+ };
 
+ #endif
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index 0ace99f..188e66b 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11/05 15:44:22 rrt Exp $")
 
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
 
+-    const unsigned char *, size_t, int, int, int);
 
++    const unsigned char *, size_t, int, int, size_t);
 
+ private int mget(struct magic_set *, const unsigned char *,
 
+-    struct magic *, size_t, unsigned int, int, int);
 
++    struct magic *, size_t, unsigned int, int, size_t);
 
+ private int magiccheck(struct magic_set *, struct magic *);
 
+ private int32_t mprint(struct magic_set *, struct magic *);
 
+ private int32_t moffset(struct magic_set *, struct magic *);
 
+@@ -62,8 +62,6 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
 
+ 
+ #define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
 
+ 
+-#define MAX_RECURSION_LEVEL	10
 
+-
 
+ /*
 
+  * softmagic - lookup one file in parsed, in-memory copy of database
 
+  * Passed the name and FILE * of one file to be typed.
 
+@@ -113,7 +111,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+ private int
 
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+     const unsigned char *s, size_t nbytes, int mode, int text,
 
+-    int recursion_level)
 
++    size_t recursion_level)
 
+ {
 
+ 	uint32_t magindex = 0;
 
+ 	unsigned int cont_level = 0;
 
+@@ -1044,7 +1042,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 
+ private int
 
+ mget(struct magic_set *ms, const unsigned char *s,
 
+     struct magic *m, size_t nbytes, unsigned int cont_level, int text,
 
+-    int recursion_level)
 
++    size_t recursion_level)
 
+ {
 
+ 	uint32_t offset = ms->offset;
 
+ 	file_pushbuf_t *pb;
 
+@@ -1052,10 +1050,11 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 	char *rbuf;
 
+ 	union VALUETYPE *p = &ms->ms_value;
 
+ 
+-	if (recursion_level >= MAX_RECURSION_LEVEL) {
 
+-                file_error(ms, 0, "recursion nesting exceeded");
 
+-                return -1;
 
+-        }
 
++	if (recursion_level >= ms->max_recursion) {
 
++		file_error(ms, 0, "recursion nesting (%zu) exceeded",
 
++		    recursion_level);
 
++		return -1;
 
++	}
 
+ 
+ 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset,
 
+ 	    (uint32_t)nbytes, m) == -1)

+ 77 - 0
debian/patches/CVE-2014-8117.5.5063ca3.patch
View File 

@@ -0,0 +1,77 @@
 
+Subject: Document changes
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Nov 27 16:15:06 2014 +0000
 
+Origin: FILE5_20-35-g5063ca3
 
+Last-Update: 2015-01-05
 
+
 
+diff --git a/doc/file.man b/doc/file.man
 
+index b8f7e84..f6c91e7 100644
 
+--- a/doc/file.man
 
++++ b/doc/file.man
 
+@@ -16,6 +16,7 @@
 
+ .Op Fl F Ar separator
 
+ .Op Fl f Ar namefile
 
+ .Op Fl m Ar magicfiles
 
++.Op Fl R Ar maxrecursion
 
+ .Ar
 
+ .Ek
 
+ .Nm
 
+@@ -295,6 +296,11 @@ Don't translate unprintable characters to \eooo.
 
+ Normally
 
+ .Nm
 
+ translates unprintable characters to their octal representation.
 
++.It Fl R , Fl Fl recursion Ar maxlevel
 
++Set the maximum recursion level for indirect type magic or name/use entry
 
++invocations.
 
++The default is
 
++.Dv 15 .
 
+ .It Fl s , Fl Fl special-files
 
+ Normally,
 
+ .Nm
 
+diff --git a/doc/libmagic.man b/doc/libmagic.man
 
+index 272b838..0a2ed9a 100644
 
+--- a/doc/libmagic.man
 
++++ b/doc/libmagic.man
 
+@@ -37,7 +37,8 @@
 
+ .Nm magic_setflags ,
 
+ .Nm magic_check ,
 
+ .Nm magic_compile ,
 
+-.Nm magic_load
 
++.Nm magic_setparam ,
 
++.Nm magic_getparam ,
 
+ .Nd Magic number recognition library
 
+ .Sh LIBRARY
 
+ .Lb libmagic
 
+@@ -67,6 +68,10 @@
 
+ .Fn magic_list "magic_t cookie" "const char *filename"
 
+ .Ft int
 
+ .Fn magic_load "magic_t cookie" "const char *filename"
 
++.Ft int
 
++.Fn magic_getparam "magic_t cookie" "int param" "void *value"
 
++.Ft int
 
++.Fn magic_setparam "magic_t cookie" "int param" "const void *value"
 
+ .Sh DESCRIPTION
 
+ These functions
 
+ operate on the magic database file
 
+@@ -246,6 +251,21 @@ If that variable is not set, the default database file name is __MAGIC__.
 
+ adds
 
+ .Dq .mgc
 
+ to the database filename as appropriate.
 
++.Pp
 
++The
 
++.Fn magic_getparam
 
++and
 
++.Fn magic_setparam
 
++allow getting and setting various limits related to the the magic
 
++library.
 
++.Bl -column "MAGIC_PARAM_MAX_RECURSION" "size_t" "Default" -offset indent
 
++.It Sy "Parameter" Ta Sy "Type" Ta Sy "Default
 
++.It Li MAGIC_PARAM_MAX_RECURSION Ta size_t Ta 15
 
++.El
 
++The
 
++.Dv MAGIC_PARAM_MAX_RECURSION
 
++parameter controls how many levels of recursion will be followed for
 
++indirect magic entries or for name/use calls.
 
+ .Sh RETURN VALUES
 
+ The function
 
+ .Fn magic_open

+ 20 - 0
debian/patches/CVE-2014-8117.6.6bf4527.patch
View File 

@@ -0,0 +1,20 @@
 
+Subject: Don't bail if there was no error, buf could have been NULL on entry
 
+ID: CVE-2014-8117
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Dec 4 15:22:05 2014 +0000
 
+Origin: FILE5_20-42-g6bf4527
 
+Last-Update: 2015-01-05
 
+
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index 9a13acb..50aca88 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -1637,7 +1637,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
 
+ 
+ 		rbuf = file_pop_buffer(ms, pb);
 
+-		if (rbuf == NULL)
 
++		if (rbuf == NULL && ms->event_flags & EVENT_HAD_ERR)
 
+ 			return -1;
 
+ 
+ 		if (rv == 1) {

+ 313 - 0
debian/patches/TEMP-0000000-B67840.1.d68a455.patch
View File 

@@ -0,0 +1,313 @@
 
+Subject: Use pread (...)
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Mon Feb 18 15:40:59 2013 +0000
 
+Origin: FILE5_12-64-gd68a455
 
+Last-Update: 2015-01-05
 
+
 
+    - use pread
 
+    - add reading of section header names to determine if an ELF file is stripped
 
+      (Jan Kaluza)
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/configure.ac b/configure.ac
 
+index 1511c9a..97a4689 100644
 
+--- a/configure.ac
 
++++ b/configure.ac
 
+@@ -159,7 +159,7 @@ dnl Checks for functions
 
+ AC_CHECK_FUNCS(mmap strerror strndup strtoul mbrtowc mkstemp utimes utime wcwidth strtof fork)
 
+ 
+ dnl Provide implementation of some required functions if necessary
 
+-AC_REPLACE_FUNCS(getopt_long asprintf vasprintf strlcpy strlcat getline)
 
++AC_REPLACE_FUNCS(getopt_long asprintf vasprintf strlcpy strlcat getline pread)
 
+ 
+ dnl Checks for libraries
 
+ AC_CHECK_LIB(z,gzopen)
 
+diff --git a/src/elfclass.h b/src/elfclass.h
 
+index 2e7741b..010958a 100644
 
+--- a/src/elfclass.h
 
++++ b/src/elfclass.h
 
+@@ -59,7 +59,8 @@
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_shoff),
 
+ 		    elf_getu16(swap, elfhdr.e_shnum),
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
 
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine)) == -1)
 
++		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
 
++		    (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
 
+ 			return -1;
 
+ 		break;
 
+ 
+diff --git a/src/file.h b/src/file.h
 
+index e02009f..de262b2 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -460,6 +460,9 @@ extern char *sys_errlist[];
 
+ #define strtoul(a, b, c)	strtol(a, b, c)
 
+ #endif
 
+ 
++#ifndef HAVE_PREAD
 
++ssize_t pread(int, void *, size_t, off_t);
 
++#endif
 
+ #ifndef HAVE_VASPRINTF
 
+ int vasprintf(char **, const char *, va_list);
 
+ #endif
 
+diff --git a/src/pread.c b/src/pread.c
 
+new file mode 100644
 
+index 0000000..94eca15
 
+--- /dev/null
 
++++ b/src/pread.c
 
+@@ -0,0 +1,14 @@
 
++#include "file.h"
 
++#ifndef lint
 
++FILE_RCSID("@(#)$File: ctime_r.c,v 1.1 2012/05/15 17:14:36 christos Exp $")
 
++#endif  /* lint */
 
++#include <fcntl.h>
 
++#include <unistd.h>
 
++
 
++ssize_t
 
++pread(int fd, void *buf, ssize_t len, off_t off) {
 
++	if (lseek(fd, off, SEEK_SET) == (off_t)-1)
 
++		return -1;
 
++
 
++	return read(fd, buf, len);
 
++}
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index 966805a..314adb7 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -48,7 +48,7 @@ private int dophn_core(struct magic_set *, int, int, int, off_t, int, size_t,
 
+ private int dophn_exec(struct magic_set *, int, int, int, off_t, int, size_t,
 
+     off_t, int *, int);
 
+ private int doshn(struct magic_set *, int, int, int, off_t, int, size_t,
 
+-    off_t, int *, int);
 
++    off_t, int *, int, int);
 
+ private size_t donote(struct magic_set *, void *, size_t, size_t, int,
 
+     int, size_t, int *);
 
+ 
+@@ -129,19 +129,21 @@ getu64(int swap, uint64_t value)
 
+ #define elf_getu32(swap, value) getu32(swap, value)
 
+ #ifdef USE_ARRAY_FOR_64BIT_TYPES
 
+ # define elf_getu64(swap, array) \
 
+-	((swap ? ((uint64_t)elf_getu32(swap, array[0])) << 32 : elf_getu32(swap, array[0])) + \
 
+-	 (swap ? elf_getu32(swap, array[1]) : ((uint64_t)elf_getu32(swap, array[1]) << 32)))
 
++    ((swap ? ((uint64_t)elf_getu32(swap, array[0])) << 32 \
 
++     : elf_getu32(swap, array[0])) + \
 
++     (swap ? elf_getu32(swap, array[1]) : \
 
++     ((uint64_t)elf_getu32(swap, array[1]) << 32)))
 
+ #else
 
+ # define elf_getu64(swap, value) getu64(swap, value)
 
+ #endif
 
+ 
+ #define xsh_addr	(clazz == ELFCLASS32			\
 
+-			 ? (void *) &sh32			\
 
+-			 : (void *) &sh64)
 
++			 ? (void *)&sh32			\
 
++			 : (void *)&sh64)
 
+ #define xsh_sizeof	(clazz == ELFCLASS32			\
 
+-			 ? sizeof sh32				\
 
+-			 : sizeof sh64)
 
+-#define xsh_size	(clazz == ELFCLASS32			\
 
++			 ? sizeof(sh32)				\
 
++			 : sizeof(sh64))
 
++#define xsh_size	(size_t)(clazz == ELFCLASS32		\
 
+ 			 ? elf_getu32(swap, sh32.sh_size)	\
 
+ 			 : elf_getu64(swap, sh64.sh_size))
 
+ #define xsh_offset	(off_t)(clazz == ELFCLASS32		\
 
+@@ -150,12 +152,15 @@ getu64(int swap, uint64_t value)
 
+ #define xsh_type	(clazz == ELFCLASS32			\
 
+ 			 ? elf_getu32(swap, sh32.sh_type)	\
 
+ 			 : elf_getu32(swap, sh64.sh_type))
 
++#define xsh_name    	(clazz == ELFCLASS32			\
 
++			 ? elf_getu32(swap, sh32.sh_name)	\
 
++			 : elf_getu32(swap, sh64.sh_name))
 
+ #define xph_addr	(clazz == ELFCLASS32			\
 
+ 			 ? (void *) &ph32			\
 
+ 			 : (void *) &ph64)
 
+ #define xph_sizeof	(clazz == ELFCLASS32			\
 
+-			 ? sizeof ph32				\
 
+-			 : sizeof ph64)
 
++			 ? sizeof(ph32)				\
 
++			 : sizeof(ph64))
 
+ #define xph_type	(clazz == ELFCLASS32			\
 
+ 			 ? elf_getu32(swap, ph32.p_type)	\
 
+ 			 : elf_getu32(swap, ph64.p_type))
 
+@@ -171,8 +176,8 @@ getu64(int swap, uint64_t value)
 
+ 			 ? elf_getu32(swap, ph32.p_filesz)	\
 
+ 			 : elf_getu64(swap, ph64.p_filesz)))
 
+ #define xnh_addr	(clazz == ELFCLASS32			\
 
+-			 ? (void *) &nh32			\
 
+-			 : (void *) &nh64)
 
++			 ? (void *)&nh32			\
 
++			 : (void *)&nh64)
 
+ #define xph_memsz	(size_t)((clazz == ELFCLASS32		\
 
+ 			 ? elf_getu32(swap, ph32.p_memsz)	\
 
+ 			 : elf_getu64(swap, ph64.p_memsz)))
 
+@@ -192,8 +197,8 @@ getu64(int swap, uint64_t value)
 
+ 			 ? prpsoffsets32[i]			\
 
+ 			 : prpsoffsets64[i])
 
+ #define xcap_addr	(clazz == ELFCLASS32			\
 
+-			 ? (void *) &cap32			\
 
+-			 : (void *) &cap64)
 
++			 ? (void *)&cap32			\
 
++			 : (void *)&cap64)
 
+ #define xcap_sizeof	(clazz == ELFCLASS32			\
 
+ 			 ? sizeof cap32				\
 
+ 			 : sizeof cap64)
 
+@@ -295,7 +300,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ {
 
+ 	Elf32_Phdr ph32;
 
+ 	Elf64_Phdr ph64;
 
+-	size_t offset;
 
++	size_t offset, len;
 
+ 	unsigned char nbuf[BUFSIZ];
 
+ 	ssize_t bufsize;
 
+ 
+@@ -309,11 +314,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 	 * Loop through all the program headers.
 
+ 	 */
 
+ 	for ( ; num; num--) {
 
+-		if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
 
+-			file_badseek(ms);
 
+-			return -1;
 
+-		}
 
+-		if (read(fd, xph_addr, xph_sizeof) == -1) {
 
++		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
 
+ 			file_badread(ms);
 
+ 			return -1;
 
+ 		}
 
+@@ -331,13 +332,8 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 		 * This is a PT_NOTE section; loop through all the notes
 
+ 		 * in the section.
 
+ 		 */
 
+-		if (lseek(fd, xph_offset, SEEK_SET) == (off_t)-1) {
 
+-			file_badseek(ms);
 
+-			return -1;
 
+-		}
 
+-		bufsize = read(fd, nbuf,
 
+-		    ((xph_filesz < sizeof(nbuf)) ? xph_filesz : sizeof(nbuf)));
 
+-		if (bufsize == -1) {
 
++		len = xph_filesz < sizeof(nbuf) ? xph_filesz : sizeof(nbuf);
 
++		if ((bufsize = pread(fd, nbuf, len, xph_offset)) == -1) {
 
+ 			file_badread(ms);
 
+ 			return -1;
 
+ 		}
 
+@@ -849,15 +845,16 @@ static const cap_desc_t cap_desc_386[] = {
 
+ 
+ private int
 
+ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+-    size_t size, off_t fsize, int *flags, int mach)
 
++    size_t size, off_t fsize, int *flags, int mach, int strtab)
 
+ {
 
+ 	Elf32_Shdr sh32;
 
+ 	Elf64_Shdr sh64;
 
+ 	int stripped = 1;
 
+ 	void *nbuf;
 
+-	off_t noff, coff;
 
++	off_t noff, coff, name_off;
 
+ 	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
 
+ 	uint64_t cap_sf1 = 0;	/* SunOS 5.x software capabilites */
 
++	char name[50];
 
+ 
+ 	if (size != xsh_sizeof) {
 
+ 		if (file_printf(ms, ", corrupted section header size") == -1)
 
+@@ -865,12 +862,19 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 		return 0;
 
+ 	}
 
+ 
++	/* Save offset of name section to be able to read section names later */
 
++	name_off = off * size * strtab;
 
++	/* Read the name of this section. */
 
++	if (pread(fd, name, sizeof(name), name_off + xsh_name) == -1) {
 
++		file_badread(ms);
 
++		return -1;
 
++	}
 
++	name[sizeof(name) - 1] = '\0';
 
++	if (strcmp(name, ".debug_info") == 0)
 
++		stripped = 0;
 
++
 
+ 	for ( ; num; num--) {
 
+-		if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
 
+-			file_badseek(ms);
 
+-			return -1;
 
+-		}
 
+-		if (read(fd, xsh_addr, xsh_sizeof) == -1) {
 
++		if (pread(fd, xsh_addr, xsh_sizeof, off) == -1) {
 
+ 			file_badread(ms);
 
+ 			return -1;
 
+ 		}
 
+@@ -895,31 +899,23 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 		/* Things we can determine when we seek */
 
+ 		switch (xsh_type) {
 
+ 		case SHT_NOTE:
 
+-			if ((nbuf = malloc((size_t)xsh_size)) == NULL) {
 
++			if ((nbuf = malloc(xsh_size)) == NULL) {
 
+ 				file_error(ms, errno, "Cannot allocate memory"
 
+ 				    " for note");
 
+ 				return -1;
 
+ 			}
 
+-			if ((noff = lseek(fd, (off_t)xsh_offset, SEEK_SET)) ==
 
+-			    (off_t)-1) {
 
++			if (pread(fd, nbuf, xsh_size, xsh_offset) == -1) {
 
+ 				file_badread(ms);
 
+ 				free(nbuf);
 
+ 				return -1;
 
+ 			}
 
+-			if (read(fd, nbuf, (size_t)xsh_size) !=
 
+-			    (ssize_t)xsh_size) {
 
+-				free(nbuf);
 
+-				file_badread(ms);
 
+-				return -1;
 
+-			}
 
+ 
+ 			noff = 0;
 
+ 			for (;;) {
 
+ 				if (noff >= (off_t)xsh_size)
 
+ 					break;
 
+ 				noff = donote(ms, nbuf, (size_t)noff,
 
+-				    (size_t)xsh_size, clazz, swap, 4,
 
+-				    flags);
 
++				    xsh_size, clazz, swap, 4, flags);
 
+ 				if (noff == 0)
 
+ 					break;
 
+ 			}
 
+@@ -1049,7 +1045,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 	const char *shared_libraries = "";
 
+ 	unsigned char nbuf[BUFSIZ];
 
+ 	ssize_t bufsize;
 
+-	size_t offset, align;
 
++	size_t offset, align, len;
 
+ 	
+ 	if (size != xph_sizeof) {
 
+ 		if (file_printf(ms, ", corrupted program header size") == -1)
 
+@@ -1058,13 +1054,8 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 	}
 
+ 
+   	for ( ; num; num--) {
 
+-		if (lseek(fd, off, SEEK_SET) == (off_t)-1) {
 
+-			file_badseek(ms);
 
+-			return -1;
 
+-		}
 
+-
 
+-  		if (read(fd, xph_addr, xph_sizeof) == -1) {
 
+-  			file_badread(ms);
 
++		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
 
++			file_badread(ms);
 
+ 			return -1;
 
+ 		}
 
+ 
+@@ -1102,12 +1093,9 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 			 * This is a PT_NOTE section; loop through all the notes
 
+ 			 * in the section.
 
+ 			 */
 
+-			if (lseek(fd, xph_offset, SEEK_SET) == (off_t)-1) {
 
+-				file_badseek(ms);
 
+-				return -1;
 
+-			}
 
+-			bufsize = read(fd, nbuf, ((xph_filesz < sizeof(nbuf)) ?
 
+-			    xph_filesz : sizeof(nbuf)));
 
++			len = xph_filesz < sizeof(nbuf) ? xph_filesz
 
++			    : sizeof(nbuf);
 
++			bufsize = pread(fd, nbuf, len, xph_offset);
 
+ 			if (bufsize == -1) {
 
+ 				file_badread(ms);
 
+ 				return -1;

+ 26 - 0
debian/patches/TEMP-0000000-B67840.10.dddd3cd.patch
View File 

@@ -0,0 +1,26 @@
 
+Subject: Fix parameter options
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Dec 11 01:26:41 2014 +0000
 
+Origin: FILE5_21 [dddd3cd]
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/file_opts.h b/src/file_opts.h
 
+index 4245447..fc57dc3 100644
 
+--- a/src/file_opts.h
 
++++ b/src/file_opts.h
 
+@@ -43,8 +43,12 @@ OPT('0', "print0", 0, "               terminate filenames with ASCII NUL\n")
 
+ #if defined(HAVE_UTIME) || defined(HAVE_UTIMES)
 
+ OPT('p', "preserve-date", 0, "        preserve access times on files\n")
 
+ #endif
 
++OPT('P', "parameter", 0, "            set file engine parameter limits\n"
 
++    "                               indir        15 recursion limit for indirection\n"
 
++    "                               name         30 use limit for name/use magic\n"
 
++    "                               elf_phnum   128 max ELF prog sections processed\n"
 
++    "                               elf_shnum 32768 max ELF sections processed\n")
 
+ OPT('r', "raw", 0, "                  don't translate unprintable chars to \\ooo\n")
 
+-OPT('R', "recursion", 0, "            set maximum recursion level\n")
 
+ OPT('s', "special-files", 0, "        treat special (block/char devices) files as\n"
 
+     "                             ordinary ones\n")
 
+ OPT('C', "compile", 0, "              compile file specified by -m\n")

+ 56 - 0
debian/patches/TEMP-0000000-B67840.11.445c8fb.patch
View File 

@@ -0,0 +1,56 @@
 
+Subject: Bail out on partial reads, from Alexander Cherepanov
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Tue Dec 16 20:53:05 2014 +0000
 
+Origin: FILE5_21-10-g445c8fb
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index fd4a19f..544c22b 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -327,7 +327,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 	 * Loop through all the program headers.
 
+ 	 */
 
+ 	for ( ; num; num--) {
 
+-		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
 
++		if (pread(fd, xph_addr, xph_sizeof, off) < (ssize_t)xph_sizeof) {
 
+ 			file_badread(ms);
 
+ 			return -1;
 
+ 		}
 
+@@ -930,6 +930,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
 
+ 	uint64_t cap_sf1 = 0;	/* SunOS 5.x software capabilites */
 
+ 	char name[50];
 
++	ssize_t namesize;
 
+ 
+ 	if (size != xsh_sizeof) {
 
+ 		if (file_printf(ms, ", corrupted section header size") == -1)
 
+@@ -949,7 +950,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 		stripped = 0;
 
+ 
+ 	for ( ; num; num--) {
 
+-		if (pread(fd, xsh_addr, xsh_sizeof, off) == -1) {
 
++		if (pread(fd, xsh_addr, xsh_sizeof, off) < (ssize_t)xsh_sizeof) {
 
+ 			file_badread(ms);
 
+ 			return -1;
 
+ 		}
 
+@@ -979,7 +980,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 				    " for note");
 
+ 				return -1;
 
+ 			}
 
+-			if (pread(fd, nbuf, xsh_size, xsh_offset) == -1) {
 
++			if (pread(fd, nbuf, xsh_size, xsh_offset) < (ssize_t)xsh_size) {
 
+ 				file_badread(ms);
 
+ 				free(nbuf);
 
+ 				return -1;
 
+@@ -1133,7 +1134,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 	}
 
+ 
+   	for ( ; num; num--) {
 
+-		if (pread(fd, xph_addr, xph_sizeof, off) == -1) {
 
++		if (pread(fd, xph_addr, xph_sizeof, off) < (ssize_t)xph_sizeof) {
 
+ 			file_badread(ms);
 
+ 			return -1;
 
+ 		}

+ 799 - 0
debian/patches/TEMP-0000000-B67840.12.ce90e05.patch
View File 

@@ -0,0 +1,799 @@
 
+Subject: Add a limit to the number of ELF notes processed (Suggested by Alexander (...)
 
+ID: TEMP-0000000-B67840
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Tue Dec 16 23:18:40 2014 +0000
 
+Origin: FILE5_21-12-gce90e05
 
+Last-Update: 2015-01-05
 
+
 
+    - Add a limit to the number of ELF notes processed (Suggested by Alexander
 
+      Cherepanov)
 
+    - Restructure ELF note printing so that we don't print the same message
 
+      multiple times on repeated notes of the same kind.
 
+
 
+diff --git a/doc/file.man b/doc/file.man
 
+index dd80d08..1db1660 100644
 
+--- a/doc/file.man
 
++++ b/doc/file.man
 
+@@ -297,6 +297,7 @@ Set various parameter limits.
 
+ .It Sy "Name" Ta Sy "Default" Ta Sy "Explanation"
 
+ .It Li indir Ta 15 Ta recursion limit for indirect magic
 
+ .It Li name Ta 30 Ta use count limit for name/use magic
 
++.It Li elf_notes Ta 256 Ta max ELF notes processed
 
+ .It Li elf_phnum Ta 128 Ta max ELF program sections processed
 
+ .It Li elf_shnum Ta 32768 Ta max ELF sections processed
 
+ .El
 
+diff --git a/doc/libmagic.man b/doc/libmagic.man
 
+index d45e3c8..cd9b57c 100644
 
+--- a/doc/libmagic.man
 
++++ b/doc/libmagic.man
 
+@@ -262,6 +262,7 @@ library.
 
+ .It Sy "Parameter" Ta Sy "Type" Ta Sy "Default"
 
+ .It Li MAGIC_PARAM_INDIR_MAX Ta size_t Ta 15
 
+ .It Li MAGIC_PARAM_NAME_MAX Ta size_t Ta 30
 
++.It Li MAGIC_PARAM_ELF_NOTES_MAX Ta size_t Ta 256
 
+ .It Li MAGIC_PARAM_ELF_PHNUM_MAX Ta size_t Ta 128
 
+ .It Li MAGIC_PARAM_ELF_SHNUM_MAX Ta size_t Ta 32768
 
+ .El
 
+@@ -281,8 +282,12 @@ The
 
+ parameter controls the maximum number of calls for name/use.
 
+ .Pp
 
+ The
 
++.Dv MAGIC_PARAM_NOTES_MAX
 
++parameter controls how many ELF notes will be processed.
 
++.Pp
 
++The
 
+ .Dv MAGIC_PARAM_PHNUM_MAX
 
+-parameter controls how many elf program sections will be processed.
 
++parameter controls how many ELF program sections will be processed.
 
+ .Pp
 
+ The
 
+ .Dv MAGIC_PARAM_SHNUM_MAX
 
+diff --git a/src/elfclass.h b/src/elfclass.h
 
+index e144d11..5360b0b 100644
 
+--- a/src/elfclass.h
 
++++ b/src/elfclass.h
 
+@@ -32,17 +32,18 @@
 
+ 	swap = (u.c[sizeof(int32_t) - 1] + 1) != elfhdr.e_ident[EI_DATA];
 
+ 
+ 	type = elf_getu16(swap, elfhdr.e_type);
 
++	notecount = ms->elf_notes_max;
 
+ 	switch (type) {
 
+ #ifdef ELFCORE
 
+ 	case ET_CORE:
 
+ 		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
+ 		if (phnum > ms->elf_phnum_max)
 
+-			return toomany(ms, "program", phnum);
 
++			return toomany(ms, "program headers", phnum);
 
+ 		flags |= FLAGS_IS_CORE;
 
+ 		if (dophn_core(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
 
+-		    fsize, &flags) == -1)
 
++		    fsize, &flags, &notecount) == -1)
 
+ 			return -1;
 
+ 		break;
 
+ #endif
 
+@@ -57,22 +58,25 @@
 
+ 		if (dophn_exec(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
 
+-		    fsize, &flags, shnum) == -1)
 
++		    fsize, shnum, &flags, &notecount) == -1)
 
+ 			return -1;
 
+ 		/*FALLTHROUGH*/
 
+ 	case ET_REL:
 
+ 		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
+ 		if (shnum > ms->elf_shnum_max)
 
+-			return toomany(ms, "section", shnum);
 
++			return toomany(ms, "section headers", shnum);
 
+ 		if (doshn(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
 
+ 		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
 
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
 
+-		    (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
 
++		    fsize, elf_getu16(swap, elfhdr.e_machine),
 
++		    (int)elf_getu16(swap, elfhdr.e_shstrndx),
 
++		    &flags, &notecount) == -1)
 
+ 			return -1;
 
+ 		break;
 
+ 
+ 	default:
 
+ 		break;
 
+ 	}
 
++	if (notecount == 0)
 
++		return toomany(ms, "notes", ms->elf_notes_max);
 
+ 	return 1;
 
+diff --git a/src/file.c b/src/file.c
 
+index 5ce08aa..f3d98aa 100644
 
+--- a/src/file.c
 
++++ b/src/file.c
 
+@@ -128,6 +128,7 @@ private struct {
 
+ 	{ "name",	MAGIC_PARAM_NAME_MAX, 0 },
 
+ 	{ "elf_phnum",	MAGIC_PARAM_ELF_PHNUM_MAX, 0 },
 
+ 	{ "elf_shnum",	MAGIC_PARAM_ELF_SHNUM_MAX, 0 },
 
++	{ "elf_notes",	MAGIC_PARAM_ELF_NOTES_MAX, 0 },
 
+ };
 
+ 
+ private char *progname;		/* used throughout 		*/
 
+diff --git a/src/file.h b/src/file.h
 
+index 67331e0..68e22a4 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -384,10 +384,12 @@ struct magic_set {
 
+ 	uint16_t name_max;
 
+ 	uint16_t elf_shnum_max;
 
+ 	uint16_t elf_phnum_max;
 
++	uint16_t elf_notes_max;
 
+ #define	FILE_INDIR_MAX			15
 
+ #define	FILE_NAME_MAX			30
 
+ #define	FILE_ELF_SHNUM_MAX		32768
 
+ #define	FILE_ELF_PHNUM_MAX		128
 
++#define	FILE_ELF_NOTES_MAX		256
 
+ };
 
+ 
+ /* Type for Unicode characters */
 
+diff --git a/src/file_opts.h b/src/file_opts.h
 
+index fc57dc3..9da9796 100644
 
+--- a/src/file_opts.h
 
++++ b/src/file_opts.h
 
+@@ -46,6 +46,7 @@ OPT('p', "preserve-date", 0, "        preserve access times on files\n")
 
+ OPT('P', "parameter", 0, "            set file engine parameter limits\n"
 
+     "                               indir        15 recursion limit for indirection\n"
 
+     "                               name         30 use limit for name/use magic\n"
 
++    "                               elf_notes   256 max ELF notes processed\n"
 
+     "                               elf_phnum   128 max ELF prog sections processed\n"
 
+     "                               elf_shnum 32768 max ELF sections processed\n")
 
+ OPT('r', "raw", 0, "                  don't translate unprintable chars to \\ooo\n")
 
+diff --git a/src/magic.c b/src/magic.c
 
+index 3aa3474..e97c78f 100644
 
+--- a/src/magic.c
 
++++ b/src/magic.c
 
+@@ -237,6 +237,7 @@ magic_open(int flags)
 
+ 	ms->name_max = FILE_NAME_MAX;
 
+ 	ms->elf_shnum_max = FILE_ELF_SHNUM_MAX;
 
+ 	ms->elf_phnum_max = FILE_ELF_PHNUM_MAX;
 
++	ms->elf_notes_max = FILE_ELF_NOTES_MAX;
 
+ 	return ms;
 
+ free:
 
+ 	free(ms);
 
+@@ -532,6 +533,9 @@ magic_setparam(struct magic_set *ms, int param, const void *val)
 
+ 	case MAGIC_PARAM_ELF_SHNUM_MAX:
 
+ 		ms->elf_shnum_max = *(const size_t *)val;
 
+ 		return 0;
 
++	case MAGIC_PARAM_ELF_NOTES_MAX:
 
++		ms->elf_notes_max = *(const size_t *)val;
 
++		return 0;
 
+ 	default:
 
+ 		errno = EINVAL;
 
+ 		return -1;
 
+@@ -554,6 +558,9 @@ magic_getparam(struct magic_set *ms, int param, void *val)
 
+ 	case MAGIC_PARAM_ELF_SHNUM_MAX:
 
+ 		*(size_t *)val = ms->elf_shnum_max;
 
+ 		return 0;
 
++	case MAGIC_PARAM_ELF_NOTES_MAX:
 
++		*(size_t *)val = ms->elf_notes_max;
 
++		return 0;
 
+ 	default:
 
+ 		errno = EINVAL;
 
+ 		return -1;
 
+diff --git a/src/magic.h b/src/magic.h
 
+index 4aec3c5..ee2e7e8 100644
 
+--- a/src/magic.h
 
++++ b/src/magic.h
 
+@@ -103,6 +103,7 @@ int magic_errno(magic_t);
 
+ #define MAGIC_PARAM_NAME_MAX		1
 
+ #define MAGIC_PARAM_ELF_PHNUM_MAX	2
 
+ #define MAGIC_PARAM_ELF_SHNUM_MAX	3
 
++#define MAGIC_PARAM_ELF_NOTES_MAX	4
 
+ 
+ int magic_setparam(magic_t, int, const void *);
 
+ int magic_getparam(magic_t, int, void *);
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index 544c22b..e1cf692 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -43,14 +43,14 @@ FILE_RCSID("@(#)$File: readelf.c,v 1.90 2011/08/23 08:01:12 christos Exp $")
 
+ 
+ #ifdef	ELFCORE
 
+ private int dophn_core(struct magic_set *, int, int, int, off_t, int, size_t,
 
+-    off_t, int *);
 
++    off_t, int *, uint16_t *);
 
+ #endif
 
+ private int dophn_exec(struct magic_set *, int, int, int, off_t, int, size_t,
 
+-    off_t, int *, int);
 
++    off_t, int, int *, uint16_t *);
 
+ private int doshn(struct magic_set *, int, int, int, off_t, int, size_t,
 
+-    off_t, int *, int, int);
 
++    off_t, int, int, int *, uint16_t *);
 
+ private size_t donote(struct magic_set *, void *, size_t, size_t, int,
 
+-    int, size_t, int *);
 
++    int, size_t, int *, uint16_t *);
 
+ 
+ #define	ELF_ALIGN(a)	((((a) + align - 1) / align) * align)
 
+ 
+@@ -67,7 +67,7 @@ private uint64_t getu64(int, uint64_t);
 
+ private int
 
+ toomany(struct magic_set *ms, const char *name, uint16_t num)
 
+ {
 
+-	if (file_printf(ms, ", too many %s header sections (%u)", name, num
 
++	if (file_printf(ms, ", too many %s (%u)", name, num
 
+ 	    ) == -1)
 
+ 		return -1;
 
+ 	return 0;
 
+@@ -301,15 +301,19 @@ private const char os_style_names[][8] = {
 
+ 	"NetBSD",
 
+ };
 
+ 
+-#define FLAGS_DID_CORE		0x01
 
+-#define FLAGS_DID_NOTE		0x02
 
+-#define FLAGS_DID_BUILD_ID	0x04
 
+-#define FLAGS_DID_CORE_STYLE	0x08
 
+-#define FLAGS_IS_CORE		0x10
 
++#define FLAGS_DID_CORE			0x001
 
++#define FLAGS_DID_OS_NOTE		0x002
 
++#define FLAGS_DID_BUILD_ID		0x004
 
++#define FLAGS_DID_CORE_STYLE		0x008
 
++#define FLAGS_DID_NETBSD_PAX		0x010
 
++#define FLAGS_DID_NETBSD_MARCH		0x020
 
++#define FLAGS_DID_NETBSD_CMODEL		0x040
 
++#define FLAGS_DID_NETBSD_UNKNOWN	0x080
 
++#define FLAGS_IS_CORE			0x100
 
+ 
+ private int
 
+ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+-    int num, size_t size, off_t fsize, int *flags)
 
++    int num, size_t size, off_t fsize, int *flags, uint16_t *notecount)
 
+ {
 
+ 	Elf32_Phdr ph32;
 
+ 	Elf64_Phdr ph64;
 
+@@ -355,7 +359,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 			if (offset >= (size_t)bufsize)
 
+ 				break;
 
+ 			offset = donote(ms, nbuf, offset, (size_t)bufsize,
 
+-			    clazz, swap, 4, flags);
 
++			    clazz, swap, 4, flags, notecount);
 
+ 			if (offset == 0)
 
+ 				break;
 
+ 
+@@ -485,127 +489,126 @@ do_note_freebsd_version(struct magic_set *ms, int swap, void *v)
 
+ 	}
 
+ }
 
+ 
+-private size_t
 
+-donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+-    int clazz, int swap, size_t align, int *flags)
 
++private int
 
++do_bid_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
 
++    int swap __attribute__((__unused__)), uint32_t namesz, uint32_t descsz,
 
++    size_t noff, size_t doff, int *flags)
 
+ {
 
+-	Elf32_Nhdr nh32;
 
+-	Elf64_Nhdr nh64;
 
+-	size_t noff, doff;
 
+-#ifdef ELFCORE
 
+-	int os_style = -1;
 
+-#endif
 
+-	uint32_t namesz, descsz;
 
+-	unsigned char *nbuf = CAST(unsigned char *, vbuf);
 
+-
 
+-	if (xnh_sizeof + offset > size) {
 
+-		/*
 
+-		 * We're out of note headers.
 
+-		 */
 
+-		return xnh_sizeof + offset;
 
+-	}
 
+-
 
+-	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
 
+-	offset += xnh_sizeof;
 
+-
 
+-	namesz = xnh_namesz;
 
+-	descsz = xnh_descsz;
 
+-	if ((namesz == 0) && (descsz == 0)) {
 
+-		/*
 
+-		 * We're out of note headers.
 
+-		 */
 
+-		return (offset >= size) ? offset : size;
 
+-	}
 
+-
 
+-	if (namesz & 0x80000000) {
 
+-	    (void)file_printf(ms, ", bad note name size 0x%lx",
 
+-		(unsigned long)namesz);
 
+-	    return 0;
 
+-	}
 
+-
 
+-	if (descsz & 0x80000000) {
 
+-	    (void)file_printf(ms, ", bad note description size 0x%lx",
 
+-		(unsigned long)descsz);
 
+-	    return 0;
 
+-	}
 
+-
 
+-
 
+-	noff = offset;
 
+-	doff = ELF_ALIGN(offset + namesz);
 
+-
 
+-	if (offset + namesz > size) {
 
+-		/*
 
+-		 * We're past the end of the buffer.
 
+-		 */
 
+-		return doff;
 
++	if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
 
++	    type == NT_GNU_BUILD_ID && (descsz == 16 || descsz == 20)) {
 
++		uint32_t desc[5], i;
 
++		*flags |= FLAGS_DID_BUILD_ID;
 
++		if (file_printf(ms, ", BuildID[%s]=0x", descsz == 16 ? "md5/uuid" :
 
++		    "sha1") == -1)
 
++			return 1;
 
++		(void)memcpy(desc, &nbuf[doff], descsz);
 
++		for (i = 0; i < descsz >> 2; i++)
 
++		    if (file_printf(ms, "%.8x", desc[i]) == -1)
 
++			return 1;
 
++		return 1;
 
+ 	}
 
++	return 0;
 
++}
 
+ 
+-	offset = ELF_ALIGN(doff + descsz);
 
+-	if (doff + descsz > size) {
 
+-		/*
 
+-		 * We're past the end of the buffer.
 
+-		 */
 
+-		return (offset >= size) ? offset : size;
 
++private int
 
++do_os_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
 
++    int swap, uint32_t namesz, uint32_t descsz,
 
++    size_t noff, size_t doff, int *flags)
 
++{
 
++	if (namesz == 5 && strcmp((char *)&nbuf[noff], "SuSE") == 0 &&
 
++	    type == NT_GNU_VERSION && descsz == 2) {
 
++	    *flags |= FLAGS_DID_OS_NOTE;
 
++	    file_printf(ms, ", for SuSE %d.%d", nbuf[doff], nbuf[doff + 1]);
 
++	    return 1;
 
+ 	}
 
+ 
+-	if ((*flags & (FLAGS_DID_NOTE|FLAGS_DID_BUILD_ID)) ==
 
+-	    (FLAGS_DID_NOTE|FLAGS_DID_BUILD_ID))
 
+-		goto core;
 
+-
 
+ 	if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
 
+-	    xnh_type == NT_GNU_VERSION && descsz == 16) {
 
++	    type == NT_GNU_VERSION && descsz == 16) {
 
+ 		uint32_t desc[4];
 
+ 		(void)memcpy(desc, &nbuf[doff], sizeof(desc));
 
+ 
++		*flags |= FLAGS_DID_OS_NOTE;
 
+ 		if (file_printf(ms, ", for GNU/") == -1)
 
+-			return size;
 
++			return 1;
 
+ 		switch (elf_getu32(swap, desc[0])) {
 
+ 		case GNU_OS_LINUX:
 
+ 			if (file_printf(ms, "Linux") == -1)
 
+-				return size;
 
++				return 1;
 
+ 			break;
 
+ 		case GNU_OS_HURD:
 
+ 			if (file_printf(ms, "Hurd") == -1)
 
+-				return size;
 
++				return 1;
 
+ 			break;
 
+ 		case GNU_OS_SOLARIS:
 
+ 			if (file_printf(ms, "Solaris") == -1)
 
+-				return size;
 
++				return 1;
 
+ 			break;
 
+ 		case GNU_OS_KFREEBSD:
 
+ 			if (file_printf(ms, "kFreeBSD") == -1)
 
+-				return size;
 
++				return 1;
 
+ 			break;
 
+ 		case GNU_OS_KNETBSD:
 
+ 			if (file_printf(ms, "kNetBSD") == -1)
 
+-				return size;
 
++				return 1;
 
+ 			break;
 
+ 		default:
 
+ 			if (file_printf(ms, "<unknown>") == -1)
 
+-				return size; 
++				return 1; 
+ 		}
 
+ 		if (file_printf(ms, " %d.%d.%d", elf_getu32(swap, desc[1]),
 
+ 		    elf_getu32(swap, desc[2]), elf_getu32(swap, desc[3])) == -1)
 
+-			return size;
 
+-		*flags |= FLAGS_DID_NOTE;
 
+-		return size;
 
++			return 1;
 
++		return 1;
 
+ 	}
 
+ 
+-	if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 &&
 
+-	    xnh_type == NT_GNU_BUILD_ID && (descsz == 16 || descsz == 20)) {
 
+-	    uint32_t desc[5], i;
 
+-	    if (file_printf(ms, ", BuildID[%s]=0x", descsz == 16 ? "md5/uuid" :
 
+-		"sha1") == -1)
 
+-		    return size;
 
+-	    (void)memcpy(desc, &nbuf[doff], descsz);
 
+-	    for (i = 0; i < descsz >> 2; i++)
 
+-		if (file_printf(ms, "%.8x", desc[i]) == -1)
 
+-		    return size;
 
+-	    *flags |= FLAGS_DID_BUILD_ID;
 
++	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
 
++	    	if (type == NT_NETBSD_VERSION && descsz == 4) {
 
++			*flags |= FLAGS_DID_OS_NOTE;
 
++			do_note_netbsd_version(ms, swap, &nbuf[doff]);
 
++			return 1;
 
++		}
 
++	}
 
++
 
++	if (namesz == 8 && strcmp((char *)&nbuf[noff], "FreeBSD") == 0) {
 
++	    	if (type == NT_FREEBSD_VERSION && descsz == 4) {
 
++			*flags |= FLAGS_DID_OS_NOTE;
 
++			do_note_freebsd_version(ms, swap, &nbuf[doff]);
 
++			return 1;
 
++		}
 
+ 	}
 
+ 
++	if (namesz == 8 && strcmp((char *)&nbuf[noff], "OpenBSD") == 0 &&
 
++	    type == NT_OPENBSD_VERSION && descsz == 4) {
 
++		*flags |= FLAGS_DID_OS_NOTE;
 
++		if (file_printf(ms, ", for OpenBSD") == -1)
 
++			return 1;
 
++		/* Content of note is always 0 */
 
++		return 1;
 
++	}
 
++
 
++	if (namesz == 10 && strcmp((char *)&nbuf[noff], "DragonFly") == 0 &&
 
++	    type == NT_DRAGONFLY_VERSION && descsz == 4) {
 
++		uint32_t desc;
 
++		*flags |= FLAGS_DID_OS_NOTE;
 
++		if (file_printf(ms, ", for DragonFly") == -1)
 
++			return 1;
 
++		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
 
++		desc = elf_getu32(swap, desc);
 
++		if (file_printf(ms, " %d.%d.%d", desc / 100000,
 
++		    desc / 10000 % 10, desc % 10000) == -1)
 
++			return 1;
 
++		return 1;
 
++	}
 
++	return 0;
 
++}
 
++
 
++private int
 
++do_pax_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
 
++    int swap, uint32_t namesz, uint32_t descsz,
 
++    size_t noff, size_t doff, int *flags)
 
++{
 
+ 	if (namesz == 4 && strcmp((char *)&nbuf[noff], "PaX") == 0 &&
 
+-	    xnh_type == NT_NETBSD_PAX && descsz == 4) {
 
++	    type == NT_NETBSD_PAX && descsz == 4) {
 
+ 		static const char *pax[] = {
 
+ 		    "+mprotect",
 
+ 		    "-mprotect",
 
+@@ -618,80 +621,32 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+ 		size_t i;
 
+ 		int did = 0;
 
+ 
++		*flags |= FLAGS_DID_NETBSD_PAX;
 
+ 		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
 
+ 		desc = elf_getu32(swap, desc);
 
+ 
+ 		if (desc && file_printf(ms, ", PaX: ") == -1)
 
+-			return size;
 
++			return 1;
 
+ 
+ 		for (i = 0; i < __arraycount(pax); i++) {
 
+ 			if (((1 << i) & desc) == 0)
 
+ 				continue;
 
+ 			if (file_printf(ms, "%s%s", did++ ? "," : "",
 
+ 			    pax[i]) == -1)
 
+-				return size;
 
+-		}
 
+-	}
 
+-
 
+-	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
 
+-		switch (xnh_type) {
 
+-		case NT_NETBSD_VERSION:
 
+-			if (descsz == 4) {
 
+-				do_note_netbsd_version(ms, swap, &nbuf[doff]);
 
+-				*flags |= FLAGS_DID_NOTE;
 
+-				return size;
 
+-			}
 
+-			break;
 
+-		case NT_NETBSD_MARCH:
 
+-			if (file_printf(ms, ", compiled for: %.*s", (int)descsz,
 
+-			    (const char *)&nbuf[doff]) == -1)
 
+-				return size;
 
+-			break;
 
+-		case NT_NETBSD_CMODEL:
 
+-			if (file_printf(ms, ", compiler model: %.*s",
 
+-			    (int)descsz, (const char *)&nbuf[doff]) == -1)
 
+-				return size;
 
+-			break;
 
+-		default:
 
+-			if (file_printf(ms, ", note=%u", xnh_type) == -1)
 
+-				return size;
 
+-			break;
 
++				return 1;
 
+ 		}
 
+-		return size;
 
+-	}
 
+-
 
+-	if (namesz == 8 && strcmp((char *)&nbuf[noff], "FreeBSD") == 0) {
 
+-	    	if (xnh_type == NT_FREEBSD_VERSION && descsz == 4) {
 
+-			do_note_freebsd_version(ms, swap, &nbuf[doff]);
 
+-			*flags |= FLAGS_DID_NOTE;
 
+-			return size;
 
+-		}
 
+-	}
 
+-
 
+-	if (namesz == 8 && strcmp((char *)&nbuf[noff], "OpenBSD") == 0 &&
 
+-	    xnh_type == NT_OPENBSD_VERSION && descsz == 4) {
 
+-		if (file_printf(ms, ", for OpenBSD") == -1)
 
+-			return size;
 
+-		/* Content of note is always 0 */
 
+-		*flags |= FLAGS_DID_NOTE;
 
+-		return size;
 
+-	}
 
+-
 
+-	if (namesz == 10 && strcmp((char *)&nbuf[noff], "DragonFly") == 0 &&
 
+-	    xnh_type == NT_DRAGONFLY_VERSION && descsz == 4) {
 
+-		uint32_t desc;
 
+-		if (file_printf(ms, ", for DragonFly") == -1)
 
+-			return size;
 
+-		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
 
+-		desc = elf_getu32(swap, desc);
 
+-		if (file_printf(ms, " %d.%d.%d", desc / 100000,
 
+-		    desc / 10000 % 10, desc % 10000) == -1)
 
+-			return size;
 
+-		*flags |= FLAGS_DID_NOTE;
 
+-		return size;
 
++		return 1;
 
+ 	}
 
++	return 0;
 
++}
 
+ 
+-core:
 
++private int
 
++do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
 
++    int swap, uint32_t namesz, uint32_t descsz,
 
++    size_t noff, size_t doff, int *flags, size_t size, int clazz)
 
++{
 
++#ifdef ELFCORE
 
++	int os_style = -1;
 
+ 	/*
 
+ 	 * Sigh.  The 2.0.36 kernel in Debian 2.1, at
 
+ 	 * least, doesn't correctly implement name
 
+@@ -720,20 +675,17 @@ core:
 
+ 		os_style = OS_STYLE_NETBSD;
 
+ 	}
 
+ 
+-#ifdef ELFCORE
 
+-	if ((*flags & FLAGS_DID_CORE) != 0)
 
+-		return size;
 
+-
 
+ 	if (os_style != -1 && (*flags & FLAGS_DID_CORE_STYLE) == 0) {
 
+ 		if (file_printf(ms, ", %s-style", os_style_names[os_style])
 
+ 		    == -1)
 
+-			return size;
 
++			return 1;
 
+ 		*flags |= FLAGS_DID_CORE_STYLE;
 
+ 	}
 
+ 
+ 	switch (os_style) {
 
+ 	case OS_STYLE_NETBSD:
 
+-		if (xnh_type == NT_NETBSD_CORE_PROCINFO) {
 
++		if (type == NT_NETBSD_CORE_PROCINFO) {
 
++			char sbuf[512];
 
+ 			uint32_t signo;
 
+ 			/*
 
+ 			 * Extract the program name.  It is at
 
+@@ -752,15 +704,14 @@ core:
 
+ 			    sizeof(signo));
 
+ 			if (file_printf(ms, " (signal %u)",
 
+ 			    elf_getu32(swap, signo)) == -1)
 
+-				return size;
 
++				return 1;
 
+ 			*flags |= FLAGS_DID_CORE;
 
+-			return size;
 
++			return 1;
 
+ 		}
 
+ 		break;
 
+ 
+ 	default:
 
+-		if (xnh_type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
 
+-/*###709 [cc] warning: declaration of 'i' shadows previous non-variable%%%*/
 
++		if (type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
 
+ 			size_t i, j;
 
+ 			unsigned char c;
 
+ 			/*
 
+@@ -828,7 +779,7 @@ core:
 
+ 				 * Try next offsets, in case this match is
 
+ 				 * in the middle of a string.
 
+ 				 */
 
+-				for (k = i + 1 ; k < NOFFSETS ; k++) {
 
++				for (k = i + 1 ; k < NOFFSETS; k++) {
 
+ 					size_t no;
 
+ 					int adjust = 1;
 
+ 					if (prpsoffsets(k) >= prpsoffsets(i))
 
+@@ -853,9 +804,9 @@ core:
 
+ 					cp--;
 
+ 				if (file_printf(ms, ", from '%.*s'",
 
+ 				    (int)(cp - cname), cname) == -1)
 
+-					return size;
 
++					return 1;
 
+ 				*flags |= FLAGS_DID_CORE;
 
+-				return size;
 
++				return 1;
 
+ 
+ 			tryanother:
 
+ 				;
 
+@@ -864,6 +815,124 @@ core:
 
+ 		break;
 
+ 	}
 
+ #endif
 
++	return 0;
 
++}
 
++
 
++private size_t
 
++donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
++    int clazz, int swap, size_t align, int *flags, uint16_t *notecount)
 
++{
 
++	Elf32_Nhdr nh32;
 
++	Elf64_Nhdr nh64;
 
++	size_t noff, doff;
 
++	uint32_t namesz, descsz;
 
++	unsigned char *nbuf = CAST(unsigned char *, vbuf);
 
++
 
++	if (*notecount == 0)
 
++		return 0;
 
++	--*notecount;
 
++
 
++	if (xnh_sizeof + offset > size) {
 
++		/*
 
++		 * We're out of note headers.
 
++		 */
 
++		return xnh_sizeof + offset;
 
++	}
 
++
 
++	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
 
++	offset += xnh_sizeof;
 
++
 
++	namesz = xnh_namesz;
 
++	descsz = xnh_descsz;
 
++	if ((namesz == 0) && (descsz == 0)) {
 
++		/*
 
++		 * We're out of note headers.
 
++		 */
 
++		return (offset >= size) ? offset : size;
 
++	}
 
++
 
++	if (namesz & 0x80000000) {
 
++	    (void)file_printf(ms, ", bad note name size 0x%lx",
 
++		(unsigned long)namesz);
 
++	    return 0;
 
++	}
 
++
 
++	if (descsz & 0x80000000) {
 
++	    (void)file_printf(ms, ", bad note description size 0x%lx",
 
++		(unsigned long)descsz);
 
++	    return 0;
 
++	}
 
++
 
++	noff = offset;
 
++	doff = ELF_ALIGN(offset + namesz);
 
++
 
++	if (offset + namesz > size) {
 
++		/*
 
++		 * We're past the end of the buffer.
 
++		 */
 
++		return doff;
 
++	}
 
++
 
++	offset = ELF_ALIGN(doff + descsz);
 
++	if (doff + descsz > size) {
 
++		/*
 
++		 * We're past the end of the buffer.
 
++		 */
 
++		return (offset >= size) ? offset : size;
 
++	}
 
++
 
++	if ((*flags & FLAGS_DID_OS_NOTE) == 0) {
 
++		if (do_os_note(ms, nbuf, xnh_type, swap,
 
++		    namesz, descsz, noff, doff, flags))
 
++			return size;
 
++	}
 
++
 
++	if ((*flags & FLAGS_DID_BUILD_ID) == 0) {
 
++		if (do_bid_note(ms, nbuf, xnh_type, swap,
 
++		    namesz, descsz, noff, doff, flags))
 
++			return size;
 
++	}
 
++		
++	if ((*flags & FLAGS_DID_NETBSD_PAX) == 0) {
 
++		if (do_pax_note(ms, nbuf, xnh_type, swap,
 
++		    namesz, descsz, noff, doff, flags))
 
++			return size;
 
++	}
 
++
 
++	if ((*flags & FLAGS_DID_CORE) == 0) {
 
++		if (do_core_note(ms, nbuf, xnh_type, swap,
 
++		    namesz, descsz, noff, doff, flags, size, clazz))
 
++			return size;
 
++	}
 
++
 
++	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
 
++		switch (xnh_type) {
 
++	    	case NT_NETBSD_VERSION:
 
++			return size;
 
++		case NT_NETBSD_MARCH:
 
++			if (*flags & FLAGS_DID_NETBSD_MARCH)
 
++				return size;
 
++			if (file_printf(ms, ", compiled for: %.*s", (int)descsz,
 
++			    (const char *)&nbuf[doff]) == -1)
 
++				return size;
 
++			break;
 
++		case NT_NETBSD_CMODEL:
 
++			if (*flags & FLAGS_DID_NETBSD_CMODEL)
 
++				return size;
 
++			if (file_printf(ms, ", compiler model: %.*s",
 
++			    (int)descsz, (const char *)&nbuf[doff]) == -1)
 
++				return size;
 
++			break;
 
++		default:
 
++			if (*flags & FLAGS_DID_NETBSD_UNKNOWN)
 
++				return size;
 
++			if (file_printf(ms, ", note=%u", xnh_type) == -1)
 
++				return size;
 
++			break;
 
++		}
 
++		return size;
 
++	}
 
++
 
+ 	return offset;
 
+ }
 
+ 
+@@ -919,7 +988,8 @@ static const cap_desc_t cap_desc_386[] = {
 
+ 
+ private int
 
+ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+-    size_t size, off_t fsize, int *flags, int mach, int strtab)
 
++    size_t size, off_t fsize, int mach, int strtab, int *flags,
 
++    uint16_t *notecount)
 
+ {
 
+ 	Elf32_Shdr sh32;
 
+ 	Elf64_Shdr sh64;
 
+@@ -991,7 +1061,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 				if (noff >= (off_t)xsh_size)
 
+ 					break;
 
+ 				noff = donote(ms, nbuf, (size_t)noff,
 
+-				    xsh_size, clazz, swap, 4, flags);
 
++				    xsh_size, clazz, swap, 4, flags, notecount);
 
+ 				if (noff == 0)
 
+ 					break;
 
+ 			}
 
+@@ -1117,7 +1187,8 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+  */
 
+ private int
 
+ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+-    int num, size_t size, off_t fsize, int *flags, int sh_num)
 
++    int num, size_t size, off_t fsize, int sh_num, int *flags,
 
++    uint16_t *notecount)
 
+ {
 
+ 	Elf32_Phdr ph32;
 
+ 	Elf64_Phdr ph64;
 
+@@ -1186,7 +1257,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 					break;
 
+ 				offset = donote(ms, nbuf, offset,
 
+ 				    (size_t)bufsize, clazz, swap, align,
 
+-				    flags);
 
++				    flags, notecount);
 
+ 				if (offset == 0)
 
+ 					break;
 
+ 			}
 
+@@ -1217,7 +1288,7 @@ file_tryelf(struct magic_set *ms, int fd, const unsigned char *buf,
 
+ 	int flags = 0;
 
+ 	Elf32_Ehdr elf32hdr;
 
+ 	Elf64_Ehdr elf64hdr;
 
+-	uint16_t type, phnum, shnum;
 
++	uint16_t type, phnum, shnum, notecount;
 
+ 
+ 	if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
 
+ 		return 0;

+ 85 - 0
debian/patches/TEMP-0000000-B67840.2.9b5bdd7.patch
View File 

@@ -0,0 +1,85 @@
 
+Subject: Add PaX note
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Fri Sep 20 00:39:43 2013 +0000
 
+Origin: FILE5_14-67-g9b5bdd7
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index 314adb7..87c19a3 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -471,6 +471,36 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+ 	    *flags |= FLAGS_DID_BUILD_ID;
 
+ 	}
 
+ 
++	if (namesz == 4 && strcmp((char *)&nbuf[noff], "PaX") == 0 &&
 
++	    xnh_type == NT_NETBSD_PAX && descsz == 4) {
 
++		static const char *pax[] = {
 
++		    "+mprotect",
 
++		    "-mprotect",
 
++		    "+segvguard",
 
++		    "-segvguard",
 
++		    "+ASLR",
 
++		    "-ASLR",
 
++		};
 
++		uint32_t desc;
 
++		size_t i;
 
++		int did = 0;
 
++
 
++		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
 
++		desc = elf_getu32(swap, desc);
 
++
 
++		if (desc && file_printf(ms, ", PaX: ") == -1)
 
++			return size;
 
++
 
++		for (i = 0; i < __arraycount(pax); i++) {
 
++			if (((1 << i) & desc) == 0)
 
++				continue;
 
++			if (file_printf(ms, "%s%s", did++ ? "," : "",
 
++			    pax[i]) == -1)
 
++				return size;
 
++		}
 
++		*flags |= FLAGS_DID_BUILD_ID;
 
++	}
 
++
 
+ 	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0 &&
 
+ 	    xnh_type == NT_NETBSD_VERSION && descsz == 4) {
 
+ 		uint32_t desc;
 
+@@ -687,6 +717,7 @@ core:
 
+ 
+ 	default:
 
+ 		if (xnh_type == NT_PRPSINFO && *flags & FLAGS_IS_CORE) {
 
++/*###709 [cc] warning: declaration of 'i' shadows previous non-variable%%%*/
 
+ 			size_t i, j;
 
+ 			unsigned char c;
 
+ 			/*
 
+diff --git a/src/readelf.h b/src/readelf.h
 
+index 4308e6a..df6955c 100644
 
+--- a/src/readelf.h
 
++++ b/src/readelf.h
 
+@@ -263,6 +263,23 @@ typedef struct {
 
+  */
 
+ #define	NT_GNU_BUILD_ID		3
 
+ 
++/*
 
++ * NetBSD-specific note type: PaX.
 
++ * There should be 1 NOTE per executable.
 
++ * name: PaX\0
 
++ * namesz: 4
 
++ * desc:
 
++ *	word[0]: capability bitmask
 
++ * descsz: 4
 
++ */
 
++#define NT_NETBSD_PAX		3
 
++#define NT_NETBSD_PAX_MPROTECT		0x01	/* Force enable Mprotect */
 
++#define NT_NETBSD_PAX_NOMPROTECT	0x02	/* Force disable Mprotect */
 
++#define NT_NETBSD_PAX_GUARD		0x04	/* Force enable Segvguard */
 
++#define NT_NETBSD_PAX_NOGUARD		0x08	/* Force disable Servguard */
 
++#define NT_NETBSD_PAX_ASLR		0x10	/* Force enable ASLR */
 
++#define NT_NETBSD_PAX_NOASLR		0x20	/* Force disable ASLR */
 
++
 
+ /* SunOS 5.x hardware/software capabilities */
 
+ typedef struct {
 
+ 	Elf32_Word	c_tag;

+ 334 - 0
debian/patches/TEMP-0000000-B67840.3.c8451af.patch
View File 

@@ -0,0 +1,334 @@
 
+Subject: Split netbsd and freebsd version printing into separate functions (...)
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Tue Nov 5 15:44:01 2013 +0000
 
+Origin: FILE5_15-9-gc8451af
 
+Last-Update: 2015-01-05
 
+
 
+    - split netbsd and freebsd version printing into separate functions
 
+    - don't let the NetBSD pax note end the search for notes
 
+    - add 2 more NetBSD notes
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index 87c19a3..18dacdd 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -352,6 +352,126 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ }
 
+ #endif
 
+ 
++static void
 
++do_note_netbsd_version(struct magic_set *ms, int swap, void *v)
 
++{
 
++	uint32_t desc;
 
++	(void)memcpy(&desc, v, sizeof(desc));
 
++	desc = elf_getu32(swap, desc);
 
++
 
++	if (file_printf(ms, ", for NetBSD") == -1)
 
++		return;
 
++	/*
 
++	 * The version number used to be stuck as 199905, and was thus
 
++	 * basically content-free.  Newer versions of NetBSD have fixed
 
++	 * this and now use the encoding of __NetBSD_Version__:
 
++	 *
 
++	 *	MMmmrrpp00
 
++	 *
 
++	 * M = major version
 
++	 * m = minor version
 
++	 * r = release ["",A-Z,Z[A-Z] but numeric]
 
++	 * p = patchlevel
 
++	 */
 
++	if (desc > 100000000U) {
 
++		uint32_t ver_patch = (desc / 100) % 100;
 
++		uint32_t ver_rel = (desc / 10000) % 100;
 
++		uint32_t ver_min = (desc / 1000000) % 100;
 
++		uint32_t ver_maj = desc / 100000000;
 
++
 
++		if (file_printf(ms, " %u.%u", ver_maj, ver_min) == -1)
 
++			return;
 
++		if (ver_rel == 0 && ver_patch != 0) {
 
++			if (file_printf(ms, ".%u", ver_patch) == -1)
 
++				return;
 
++		} else if (ver_rel != 0) {
 
++			while (ver_rel > 26) {
 
++				if (file_printf(ms, "Z") == -1)
 
++					return;
 
++				ver_rel -= 26;
 
++			}
 
++			if (file_printf(ms, "%c", 'A' + ver_rel - 1)
 
++			    == -1)
 
++				return;
 
++		}
 
++	}
 
++}
 
++
 
++static void
 
++do_note_freebsd_version(struct magic_set *ms, int swap, void *v)
 
++{
 
++	uint32_t desc;
 
++
 
++	(void)memcpy(&desc, v, sizeof(desc));
 
++	desc = elf_getu32(swap, desc);
 
++	if (file_printf(ms, ", for FreeBSD") == -1)
 
++		return;
 
++
 
++	/*
 
++	 * Contents is __FreeBSD_version, whose relation to OS
 
++	 * versions is defined by a huge table in the Porter's
 
++	 * Handbook.  This is the general scheme:
 
++	 * 
++	 * Releases:
 
++	 * 	Mmp000 (before 4.10)
 
++	 * 	Mmi0p0 (before 5.0)
 
++	 * 	Mmm0p0
 
++	 * 
++	 * Development branches:
 
++	 * 	Mmpxxx (before 4.6)
 
++	 * 	Mmp1xx (before 4.10)
 
++	 * 	Mmi1xx (before 5.0)
 
++	 * 	M000xx (pre-M.0)
 
++	 * 	Mmm1xx
 
++	 * 
++	 * M = major version
 
++	 * m = minor version
 
++	 * i = minor version increment (491000 -> 4.10)
 
++	 * p = patchlevel
 
++	 * x = revision
 
++	 * 
++	 * The first release of FreeBSD to use ELF by default
 
++	 * was version 3.0.
 
++	 */
 
++	if (desc == 460002) {
 
++		if (file_printf(ms, " 4.6.2") == -1)
 
++			return;
 
++	} else if (desc < 460100) {
 
++		if (file_printf(ms, " %d.%d", desc / 100000,
 
++		    desc / 10000 % 10) == -1)
 
++			return;
 
++		if (desc / 1000 % 10 > 0)
 
++			if (file_printf(ms, ".%d", desc / 1000 % 10) == -1)
 
++				return;
 
++		if ((desc % 1000 > 0) || (desc % 100000 == 0))
 
++			if (file_printf(ms, " (%d)", desc) == -1)
 
++				return;
 
++	} else if (desc < 500000) {
 
++		if (file_printf(ms, " %d.%d", desc / 100000,
 
++		    desc / 10000 % 10 + desc / 1000 % 10) == -1)
 
++			return;
 
++		if (desc / 100 % 10 > 0) {
 
++			if (file_printf(ms, " (%d)", desc) == -1)
 
++				return;
 
++		} else if (desc / 10 % 10 > 0) {
 
++			if (file_printf(ms, ".%d", desc / 10 % 10) == -1)
 
++				return;
 
++		}
 
++	} else {
 
++		if (file_printf(ms, " %d.%d", desc / 100000,
 
++		    desc / 1000 % 100) == -1)
 
++			return;
 
++		if ((desc / 100 % 10 > 0) ||
 
++		    (desc % 100000 / 100 == 0)) {
 
++			if (file_printf(ms, " (%d)", desc) == -1)
 
++				return;
 
++		} else if (desc / 10 % 10 > 0) {
 
++			if (file_printf(ms, ".%d", desc / 10 % 10) == -1)
 
++				return;
 
++		}
 
++	}
 
++}
 
++
 
+ private size_t
 
+ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+     int clazz, int swap, size_t align, int *flags)
 
+@@ -498,131 +618,41 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+ 			    pax[i]) == -1)
 
+ 				return size;
 
+ 		}
 
+-		*flags |= FLAGS_DID_BUILD_ID;
 
+ 	}
 
+ 
+-	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0 &&
 
+-	    xnh_type == NT_NETBSD_VERSION && descsz == 4) {
 
+-		uint32_t desc;
 
+-		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
 
+-		desc = elf_getu32(swap, desc);
 
+-
 
+-		if (file_printf(ms, ", for NetBSD") == -1)
 
+-			return size;
 
+-		/*
 
+-		 * The version number used to be stuck as 199905, and was thus
 
+-		 * basically content-free.  Newer versions of NetBSD have fixed
 
+-		 * this and now use the encoding of __NetBSD_Version__:
 
+-		 *
 
+-		 *	MMmmrrpp00
 
+-		 *
 
+-		 * M = major version
 
+-		 * m = minor version
 
+-		 * r = release ["",A-Z,Z[A-Z] but numeric]
 
+-		 * p = patchlevel
 
+-		 */
 
+-		if (desc > 100000000U) {
 
+-			uint32_t ver_patch = (desc / 100) % 100;
 
+-			uint32_t ver_rel = (desc / 10000) % 100;
 
+-			uint32_t ver_min = (desc / 1000000) % 100;
 
+-			uint32_t ver_maj = desc / 100000000;
 
+-
 
+-			if (file_printf(ms, " %u.%u", ver_maj, ver_min) == -1)
 
++	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
 
++		switch (xnh_type) {
 
++		case NT_NETBSD_VERSION:
 
++			if (descsz == 4) {
 
++				do_note_netbsd_version(ms, swap, &nbuf[doff]);
 
++				*flags |= FLAGS_DID_NOTE;
 
+ 				return size;
 
+-			if (ver_rel == 0 && ver_patch != 0) {
 
+-				if (file_printf(ms, ".%u", ver_patch) == -1)
 
+-					return size;
 
+-			} else if (ver_rel != 0) {
 
+-				while (ver_rel > 26) {
 
+-					if (file_printf(ms, "Z") == -1)
 
+-						return size;
 
+-					ver_rel -= 26;
 
+-				}
 
+-				if (file_printf(ms, "%c", 'A' + ver_rel - 1)
 
+-				    == -1)
 
+-					return size;
 
+ 			}
 
++			break;
 
++		case NT_NETBSD_MARCH:
 
++			if (file_printf(ms, ", compiled for: %.*s", (int)descsz,
 
++			    (const char *)&nbuf[doff]) == -1)
 
++				return size;
 
++			break;
 
++		case NT_NETBSD_CMODEL:
 
++			if (file_printf(ms, ", compiler model: %.*s",
 
++			    (int)descsz, (const char *)&nbuf[doff]) == -1)
 
++				return size;
 
++			break;
 
++		default:
 
++			if (file_printf(ms, ", note=%u", xnh_type) == -1)
 
++				return size;
 
++			break;
 
+ 		}
 
+-		*flags |= FLAGS_DID_NOTE;
 
+ 		return size;
 
+ 	}
 
+ 
+-	if (namesz == 8 && strcmp((char *)&nbuf[noff], "FreeBSD") == 0 &&
 
+-	    xnh_type == NT_FREEBSD_VERSION && descsz == 4) {
 
+-		uint32_t desc;
 
+-		(void)memcpy(&desc, &nbuf[doff], sizeof(desc));
 
+-		desc = elf_getu32(swap, desc);
 
+-		if (file_printf(ms, ", for FreeBSD") == -1)
 
++	if (namesz == 8 && strcmp((char *)&nbuf[noff], "FreeBSD") == 0) {
 
++	    	if (xnh_type == NT_FREEBSD_VERSION && descsz == 4) {
 
++			do_note_freebsd_version(ms, swap, &nbuf[doff]);
 
++			*flags |= FLAGS_DID_NOTE;
 
+ 			return size;
 
+-
 
+-		/*
 
+-		 * Contents is __FreeBSD_version, whose relation to OS
 
+-		 * versions is defined by a huge table in the Porter's
 
+-		 * Handbook.  This is the general scheme:
 
+-		 * 
+-		 * Releases:
 
+-		 * 	Mmp000 (before 4.10)
 
+-		 * 	Mmi0p0 (before 5.0)
 
+-		 * 	Mmm0p0
 
+-		 * 
+-		 * Development branches:
 
+-		 * 	Mmpxxx (before 4.6)
 
+-		 * 	Mmp1xx (before 4.10)
 
+-		 * 	Mmi1xx (before 5.0)
 
+-		 * 	M000xx (pre-M.0)
 
+-		 * 	Mmm1xx
 
+-		 * 
+-		 * M = major version
 
+-		 * m = minor version
 
+-		 * i = minor version increment (491000 -> 4.10)
 
+-		 * p = patchlevel
 
+-		 * x = revision
 
+-		 * 
+-		 * The first release of FreeBSD to use ELF by default
 
+-		 * was version 3.0.
 
+-		 */
 
+-		if (desc == 460002) {
 
+-			if (file_printf(ms, " 4.6.2") == -1)
 
+-				return size;
 
+-		} else if (desc < 460100) {
 
+-			if (file_printf(ms, " %d.%d", desc / 100000,
 
+-			    desc / 10000 % 10) == -1)
 
+-				return size;
 
+-			if (desc / 1000 % 10 > 0)
 
+-				if (file_printf(ms, ".%d", desc / 1000 % 10)
 
+-				    == -1)
 
+-					return size;
 
+-			if ((desc % 1000 > 0) || (desc % 100000 == 0))
 
+-				if (file_printf(ms, " (%d)", desc) == -1)
 
+-					return size;
 
+-		} else if (desc < 500000) {
 
+-			if (file_printf(ms, " %d.%d", desc / 100000,
 
+-			    desc / 10000 % 10 + desc / 1000 % 10) == -1)
 
+-				return size;
 
+-			if (desc / 100 % 10 > 0) {
 
+-				if (file_printf(ms, " (%d)", desc) == -1)
 
+-					return size;
 
+-			} else if (desc / 10 % 10 > 0) {
 
+-				if (file_printf(ms, ".%d", desc / 10 % 10)
 
+-				    == -1)
 
+-					return size;
 
+-			}
 
+-		} else {
 
+-			if (file_printf(ms, " %d.%d", desc / 100000,
 
+-			    desc / 1000 % 100) == -1)
 
+-				return size;
 
+-			if ((desc / 100 % 10 > 0) ||
 
+-			    (desc % 100000 / 100 == 0)) {
 
+-				if (file_printf(ms, " (%d)", desc) == -1)
 
+-					return size;
 
+-			} else if (desc / 10 % 10 > 0) {
 
+-				if (file_printf(ms, ".%d", desc / 10 % 10)
 
+-				    == -1)
 
+-					return size;
 
+-			}
 
+ 		}
 
+-		*flags |= FLAGS_DID_NOTE;
 
+-		return size;
 
+ 	}
 
+ 
+ 	if (namesz == 8 && strcmp((char *)&nbuf[noff], "OpenBSD") == 0 &&
 
+diff --git a/src/readelf.h b/src/readelf.h
 
+index df6955c..9ada14d 100644
 
+--- a/src/readelf.h
 
++++ b/src/readelf.h
 
+@@ -280,6 +280,29 @@ typedef struct {
 
+ #define NT_NETBSD_PAX_ASLR		0x10	/* Force enable ASLR */
 
+ #define NT_NETBSD_PAX_NOASLR		0x20	/* Force disable ASLR */
 
+ 
++/*
 
++ * NetBSD-specific note type: MACHINE_ARCH.
 
++ * There should be 1 NOTE per executable.
 
++ * name:	NetBSD\0
 
++ * namesz:	7
 
++ * desc:	string
 
++ * descsz:	variable
 
++ */
 
++#define NT_NETBSD_MARCH		5
 
++
 
++/*
 
++ * NetBSD-specific note type: COMPILER MODEL.
 
++ * There should be 1 NOTE per executable.
 
++ * name:	NetBSD\0
 
++ * namesz:	7
 
++ * desc:	string
 
++ * descsz:	variable
 
++ */
 
++#define NT_NETBSD_CMODEL	6
 
++
 
++#if !defined(ELFSIZE) && defined(ARCH_ELFSIZE)
 
++#define ELFSIZE ARCH_ELFSIZE
 
++#endif
 
+ /* SunOS 5.x hardware/software capabilities */
 
+ typedef struct {
 
+ 	Elf32_Word	c_tag;

+ 23 - 0
debian/patches/TEMP-0000000-B67840.4.8a90571.patch
View File 

@@ -0,0 +1,23 @@
 
+Subject: Adjust limits better (from NetBSD)
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Nov 27 15:16:00 2014 +0000
 
+Origin: FILE5_20-33-g8a90571
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index e0b252d..f6b6824 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -60,8 +60,8 @@ private uint16_t getu16(int, uint16_t);
 
+ private uint32_t getu32(int, uint32_t);
 
+ private uint64_t getu64(int, uint64_t);
 
+ 
+-#define MAX_PHNUM	256
 
+-#define	MAX_SHNUM	1024
 
++#define MAX_PHNUM	128
 
++#define	MAX_SHNUM	32768
 
+ 
+ private int
 
+ toomany(struct magic_set *ms, const char *name, uint16_t num)

+ 474 - 0
debian/patches/TEMP-0000000-B67840.5.6ce24f3.patch
View File 

@@ -0,0 +1,474 @@
 
+Subject: Kill -R and replace with -P param=value. Allow setting of 4 parameters: indir, name, shnum, phnum
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Thu Nov 27 23:42:58 2014 +0000
 
+Origin: FILE5_20-36-g6ce24f3
 
+Last-Update: 2015-01-05
 
+
 
+    Kill -R and replace with -P param=value. Allow setting of 4 parameters:
 
+    indir, name, shnum, phnum.
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/doc/file.man b/doc/file.man
 
+index f6c91e7..e4ce958 100644
 
+--- a/doc/file.man
 
++++ b/doc/file.man
 
+@@ -16,7 +16,7 @@
 
+ .Op Fl F Ar separator
 
+ .Op Fl f Ar namefile
 
+ .Op Fl m Ar magicfiles
 
+-.Op Fl R Ar maxrecursion
 
++.Op Fl P Ar name=value
 
+ .Ar
 
+ .Ek
 
+ .Nm
 
+@@ -291,16 +291,20 @@ or
 
+ attempt to preserve the access time of files analyzed, to pretend that
 
+ .Nm
 
+ never read them.
 
++.It Fl P , Fl Fl parameter Ar name=value
 
++Set various parameter limits.
 
++.Bl -column "indir" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -offset indent
 
++.It Sy "Name" Ta Sy "Default" Ta Sy "Explanation"
 
++.It Li indir Ta 15 Ta recursion limit for indirect magic
 
++.It Li name Ta 40 Ta recursion limit for name/use magic
 
++.It Li phnum Ta 128 Ta max ELF program sections processed
 
++.It Li shnum Ta 32768 Ta max ELF sections processed
 
++.El
 
+ .It Fl r , Fl Fl raw
 
+ Don't translate unprintable characters to \eooo.
 
+ Normally
 
+ .Nm
 
+ translates unprintable characters to their octal representation.
 
+-.It Fl R , Fl Fl recursion Ar maxlevel
 
+-Set the maximum recursion level for indirect type magic or name/use entry
 
+-invocations.
 
+-The default is
 
+-.Dv 15 .
 
+ .It Fl s , Fl Fl special-files
 
+ Normally,
 
+ .Nm
 
+diff --git a/doc/libmagic.man b/doc/libmagic.man
 
+index 0a2ed9a..ba06c9f 100644
 
+--- a/doc/libmagic.man
 
++++ b/doc/libmagic.man
 
+@@ -258,14 +258,31 @@ and
 
+ .Fn magic_setparam
 
+ allow getting and setting various limits related to the the magic
 
+ library.
 
+-.Bl -column "MAGIC_PARAM_MAX_RECURSION" "size_t" "Default" -offset indent
 
+-.It Sy "Parameter" Ta Sy "Type" Ta Sy "Default
 
+-.It Li MAGIC_PARAM_MAX_RECURSION Ta size_t Ta 15
 
++.Bl -column "MAGIC_PARAM_INDIR_RECURSION" "size_t" "Default" -offset indent
 
++.It Sy "Parameter" Ta Sy "Type" Ta Sy "Default"
 
++.It Li MAGIC_PARAM_INDIR_RECURSION Ta size_t Ta 15
 
++.It Li MAGIC_PARAM_NAME_RECURSION Ta size_t Ta 40
 
++.It Li MAGIC_PARAM_PHNUM_MAX Ta size_t Ta 128
 
++.It Li MAGIC_PARAM_SHNUM_MAX Ta size_t Ta 32768
 
+ .El
 
++.Pp
 
++The
 
++.Dv MAGIC_PARAM_INDIR_RECURSION
 
++parameter controls how many levels of recursion will be followed for
 
++indirect magic entries.
 
++.Pp
 
+ The
 
+-.Dv MAGIC_PARAM_MAX_RECURSION
 
++.Dv MAGIC_PARAM_NAME_RECURSION
 
+ parameter controls how many levels of recursion will be followed for
 
+-indirect magic entries or for name/use calls.
 
++for name/use calls.
 
++.Pp
 
++The
 
++.Dv MAGIC_PARAM_PHNUM_MAX
 
++parameter controls how many elf program sections will be processed.
 
++.Pp
 
++The
 
++.Dv MAGIC_PARAM_SHNUM_MAX
 
++parameter controls how many elf sections will be processed.
 
+ .Sh RETURN VALUES
 
+ The function
 
+ .Fn magic_open
 
+diff --git a/src/ascmagic.c b/src/ascmagic.c
 
+index 1c37e8e..9f4b012 100644
 
+--- a/src/ascmagic.c
 
++++ b/src/ascmagic.c
 
+@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
 
+ 		    == NULL)
 
+ 			goto done;
 
+ 		if ((rv = file_softmagic(ms, utf8_buf,
 
+-		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
 
++		    (size_t)(utf8_end - utf8_buf), 0, 0, TEXTTEST, text)) == 0)
 
+ 			rv = -1;
 
+ 	}
 
+ 
+diff --git a/src/elfclass.h b/src/elfclass.h
 
+index 0826ce3..bda53b3 100644
 
+--- a/src/elfclass.h
 
++++ b/src/elfclass.h
 
+@@ -36,7 +36,7 @@
 
+ #ifdef ELFCORE
 
+ 	case ET_CORE:
 
+ 		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
+-		if (phnum > MAX_PHNUM)
 
++		if (phnum > ms->phnum_max)
 
+ 			return toomany(ms, "program", phnum);
 
+ 		flags |= FLAGS_IS_CORE;
 
+ 		if (dophn_core(ms, clazz, swap, fd,
 
+@@ -49,10 +49,10 @@
 
+ 	case ET_EXEC:
 
+ 	case ET_DYN:
 
+ 		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
+-		if (phnum > MAX_PHNUM)
 
++		if (phnum > ms->phnum_max)
 
+ 			return toomany(ms, "program", phnum);
 
+ 		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
+-		if (shnum > MAX_SHNUM)
 
++		if (shnum > ms->shnum_max)
 
+ 			return toomany(ms, "section", shnum);
 
+ 		if (dophn_exec(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
 
+@@ -62,7 +62,7 @@
 
+ 		/*FALLTHROUGH*/
 
+ 	case ET_REL:
 
+ 		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
+-		if (shnum > MAX_SHNUM)
 
++		if (shnum > ms->shnum_max)
 
+ 			return toomany(ms, "section", shnum);
 
+ 		if (doshn(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
 
+diff --git a/src/file.c b/src/file.c
 
+index 2f3cf9d..4bb3102 100644
 
+--- a/src/file.c
 
++++ b/src/file.c
 
+@@ -101,7 +101,7 @@ private const struct option long_options[] = {
 
+ #undef OPT_LONGONLY
 
+     {0, 0, NULL, 0}
 
+ };
 
+-#define OPTSTRING	"bcCde:f:F:hiklLm:nNprR:svz0"
 
++#define OPTSTRING	"bcCde:f:F:hiklLm:nNprP:rsvz0"
 
+ 
+ private const struct {
 
+ 	const char *name;
 
+@@ -119,6 +119,17 @@ private const struct {
 
+ 	{ "tokens",	MAGIC_NO_CHECK_TOKENS }, /* OBSOLETE: ignored for backwards compatibility */
 
+ };
 
+ 
++private struct {
 
++	const char *name;
 
++	int tag;
 
++	size_t value;
 
++} pm[] = {
 
++	{ "indir",	MAGIC_PARAM_INDIR_RECURSION, 0 },
 
++	{ "name",	MAGIC_PARAM_NAME_RECURSION, 0 },
 
++	{ "phnum",	MAGIC_PARAM_PHNUM_MAX, 0 },
 
++	{ "shnum",	MAGIC_PARAM_SHNUM_MAX, 0 },
 
++};
 
++
 
+ private char *progname;		/* used throughout 		*/
 
+ 
+ private void usage(void);
 
+@@ -128,6 +139,8 @@ int main(int, char *[]);
 
+ private int unwrap(struct magic_set *, const char *);
 
+ private int process(struct magic_set *ms, const char *, int);
 
+ private struct magic_set *load(const char *, int);
 
++private void setparam(const char *);
 
++private void applyparam(magic_t);
 
+ 
+ 
+ /*
 
+@@ -140,7 +153,6 @@ main(int argc, char *argv[])
 
+ 	size_t i;
 
+ 	int action = 0, didsomefiles = 0, errflg = 0;
 
+ 	int flags = 0, e = 0;
 
+-	size_t max_recursion = 0;
 
+ 	struct magic_set *magic = NULL;
 
+ 	int longindex;
 
+ 	const char *magicfile = NULL;		/* where the magic is	*/
 
+@@ -241,11 +253,12 @@ main(int argc, char *argv[])
 
+ 			flags |= MAGIC_PRESERVE_ATIME;
 
+ 			break;
 
+ #endif
 
++		case 'P':
 
++			setparam(optarg);
 
++			break;
 
+ 		case 'r':
 
+ 			flags |= MAGIC_RAW;
 
+ 			break;
 
+-		case 'R':
 
+-			max_recursion = atoi(optarg);
 
+ 			break;
 
+ 		case 's':
 
+ 			flags |= MAGIC_DEVICES;
 
+@@ -319,16 +332,7 @@ main(int argc, char *argv[])
 
+ 		if (magic == NULL)
 
+ 			if ((magic = load(magicfile, flags)) == NULL)
 
+ 				return 1;
 
+-		if (max_recursion) {
 
+-			if (magic_setparam(magic, MAGIC_PARAM_MAX_RECURSION,
 
+-			    &max_recursion) == -1) {
 
+-				(void)fprintf(stderr,
 
+-				    "%s: Can't set recurision %s\n", progname,
 
+-				    strerror(errno));
 
+-				return 1;
 
+-			}
 
+-		}
 
+-		break;
 
++		applyparam(magic);
 
+ 	}
 
+ 
+ 	if (optind == argc) {
 
+@@ -358,6 +362,41 @@ main(int argc, char *argv[])
 
+ 	return e;
 
+ }
 
+ 
++private void
 
++applyparam(magic_t magic)
 
++{
 
++	size_t i;
 
++
 
++	for (i = 0; i < __arraycount(pm); i++) {
 
++		if (pm[i].value == 0)
 
++			continue;
 
++		if (magic_setparam(magic, pm[i].tag, &pm[i].value) == -1) {
 
++			(void)fprintf(stderr, "%s: Can't set %s %s\n", progname,
 
++				pm[i].name, strerror(errno));
 
++			exit(1);
 
++		}
 
++	}
 
++}
 
++
 
++private void
 
++setparam(const char *p)
 
++{
 
++	size_t i;
 
++	char *s;
 
++
 
++	if ((s = strchr(p, '=')) == NULL)
 
++		goto badparm;
 
++
 
++	for (i = 0; i < __arraycount(pm); i++) {
 
++		if (strncmp(p, pm[i].name, s - p) != 0)
 
++			continue;
 
++		pm[i].value = atoi(s + 1);
 
++		return;
 
++	}
 
++badparm:
 
++	(void)fprintf(stderr, "%s: Unknown param %s\n", progname, p);
 
++	exit(1);
 
++}
 
+ 
+ private struct magic_set *
 
+ /*ARGSUSED*/
 
+diff --git a/src/file.h b/src/file.h
 
+index 71a3aeb..237bc4d 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -380,8 +380,14 @@ struct magic_set {
 
+ 	/* FIXME: Make the string dynamically allocated so that e.g.
 
+ 	   strings matched in files can be longer than MAXstring */
 
+ 	union VALUETYPE ms_value;	/* either number or string */
 
+-	size_t max_recursion;
 
+-#define	FILE_MAX_RECURSION	15
 
++	uint16_t indir_recursion;
 
++	uint16_t name_recursion;
 
++	uint16_t shnum_max;
 
++	uint16_t phnum_max;
 
++#define	FILE_INDIR_RECURSION	15
 
++#define	FILE_NAME_RECURSION	40
 
++#define FILE_ELF_SHNUM		32768
 
++#define FILE_ELF_PHNUM		128
 
+ };
 
+ 
+ /* Type for Unicode characters */
 
+@@ -416,7 +422,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
 
+     unichar **, size_t *, const char **, const char **, const char **);
 
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
 
+-    size_t, int, int);
 
++    uint16_t, uint16_t, int, int);
 
+ protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
 
+     uint64_t);
 
+diff --git a/src/funcs.c b/src/funcs.c
 
+index 04bab02..88e77ef 100644
 
+--- a/src/funcs.c
 
++++ b/src/funcs.c
 
+@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((unu
 
+ 
+ 	/* try soft magic tests */
 
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
 
+-		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
 
++		if ((m = file_softmagic(ms, ubuf, nb, 0, 0, BINTEST,
 
+ 		    looks_text)) != 0) {
 
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
 
+diff --git a/src/magic.c b/src/magic.c
 
+index 2a916c7..aa812df 100644
 
+--- a/src/magic.c
 
++++ b/src/magic.c
 
+@@ -233,7 +233,10 @@ magic_open(int flags)
 
+ 	ms->mlist = NULL;
 
+ 	ms->file = "unknown";
 
+ 	ms->line = 0;
 
+-	ms->max_recursion = FILE_MAX_RECURSION;
 
++	ms->indir_recursion = FILE_INDIR_RECURSION;
 
++	ms->name_recursion = FILE_NAME_RECURSION;
 
++	ms->shnum_max = FILE_ELF_SHNUM;
 
++	ms->phnum_max = FILE_ELF_PHNUM;
 
+ 	return ms;
 
+ free:
 
+ 	free(ms);
 
+@@ -517,8 +520,17 @@ public int
 
+ magic_setparam(struct magic_set *ms, int param, const void *val)
 
+ {
 
+ 	switch (param) {
 
+-	case MAGIC_PARAM_MAX_RECURSION:
 
+-		ms->max_recursion = *(const size_t *)val;
 
++	case MAGIC_PARAM_INDIR_RECURSION:
 
++		ms->indir_recursion = *(const size_t *)val;
 
++		return 0;
 
++	case MAGIC_PARAM_NAME_RECURSION:
 
++		ms->name_recursion = *(const size_t *)val;
 
++		return 0;
 
++	case MAGIC_PARAM_PHNUM_MAX:
 
++		ms->phnum_max = *(const size_t *)val;
 
++		return 0;
 
++	case MAGIC_PARAM_SHNUM_MAX:
 
++		ms->shnum_max = *(const size_t *)val;
 
+ 		return 0;
 
+ 	default:
 
+ 		errno = EINVAL;
 
+@@ -530,8 +542,17 @@ public int
 
+ magic_getparam(struct magic_set *ms, int param, void *val)
 
+ {
 
+ 	switch (param) {
 
+-	case MAGIC_PARAM_MAX_RECURSION:
 
+-		*(size_t *)val = ms->max_recursion;
 
++	case MAGIC_PARAM_INDIR_RECURSION:
 
++		*(size_t *)val = ms->indir_recursion;
 
++		return 0;
 
++	case MAGIC_PARAM_NAME_RECURSION:
 
++		*(size_t *)val = ms->name_recursion;
 
++		return 0;
 
++	case MAGIC_PARAM_PHNUM_MAX:
 
++		*(size_t *)val = ms->phnum_max;
 
++		return 0;
 
++	case MAGIC_PARAM_SHNUM_MAX:
 
++		*(size_t *)val = ms->shnum_max;
 
+ 		return 0;
 
+ 	default:
 
+ 		errno = EINVAL;
 
+diff --git a/src/magic.h b/src/magic.h
 
+index 3d9ee8a..20c05c1 100644
 
+--- a/src/magic.h
 
++++ b/src/magic.h
 
+@@ -99,7 +99,11 @@ int magic_check(magic_t, const char *);
 
+ int magic_list(magic_t, const char *);
 
+ int magic_errno(magic_t);
 
+ 
+-#define MAGIC_PARAM_MAX_RECURSION	0
 
++#define MAGIC_PARAM_INDIR_RECURSION	0
 
++#define MAGIC_PARAM_NAME_RECURSION	1
 
++#define MAGIC_PARAM_PHNUM_MAX		2
 
++#define MAGIC_PARAM_SHNUM_MAX		3
 
++
 
+ int magic_setparam(magic_t, int, const void *);
 
+ int magic_getparam(magic_t, int, void *);
 
+ 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index 188e66b..d507e11 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11/05 15:44:22 rrt Exp $")
 
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
 
+-    const unsigned char *, size_t, int, int, size_t);
 
++    const unsigned char *, size_t, int, int, uint16_t, uint16_t);
 
+ private int mget(struct magic_set *, const unsigned char *,
 
+-    struct magic *, size_t, unsigned int, int, size_t);
 
++    struct magic *, size_t, unsigned int, int, uint16_t, uint16_t);
 
+ private int magiccheck(struct magic_set *, struct magic *);
 
+ private int32_t mprint(struct magic_set *, struct magic *);
 
+ private int32_t moffset(struct magic_set *, struct magic *);
 
+@@ -69,13 +69,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
 
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
 
+ protected int
 
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+-    size_t level, int mode, int text)
 
++    uint16_t indir_level, uint16_t name_level, int mode, int text)
 
+ {
 
+ 	struct mlist *ml;
 
+ 	int rv;
 
+ 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
 
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
 
+-		    text, level)) != 0)
 
++		    text, indir_level, name_level)) != 0)
 
+ 			return rv;
 
+ 
+ 	return 0;
 
+@@ -111,7 +111,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+ private int
 
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+     const unsigned char *s, size_t nbytes, int mode, int text,
 
+-    size_t recursion_level)
 
++    uint16_t indir_level, uint16_t name_level)
 
+ {
 
+ 	uint32_t magindex = 0;
 
+ 	unsigned int cont_level = 0;
 
+@@ -143,7 +143,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+ 		ms->line = m->lineno;
 
+ 
+ 		/* if main entry matches, print it... */
 
+-		switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
 
++		switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level)) {
 
+ 		case -1:
 
+ 			return -1;
 
+ 		case 0:
 
+@@ -226,7 +226,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+ 					continue;
 
+ 			}
 
+ #endif
 
+-			switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
 
++			switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level)) {
 
+ 			case -1:
 
+ 				return -1;
 
+ 			case 0:
 
+@@ -1042,7 +1042,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 
+ private int
 
+ mget(struct magic_set *ms, const unsigned char *s,
 
+     struct magic *m, size_t nbytes, unsigned int cont_level, int text,
 
+-    size_t recursion_level)
 
++    uint16_t indir_level, uint16_t name_level)
 
+ {
 
+ 	uint32_t offset = ms->offset;
 
+ 	file_pushbuf_t *pb;
 
+@@ -1050,9 +1050,15 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 	char *rbuf;
 
+ 	union VALUETYPE *p = &ms->ms_value;
 
+ 
+-	if (recursion_level >= ms->max_recursion) {
 
+-		file_error(ms, 0, "recursion nesting (%zu) exceeded",
 
+-		    recursion_level);
 
++	if (indir_level >= ms->indir_recursion) {
 
++		file_error(ms, 0, "indirect recursion nesting (%hu) exceeded",
 
++		    indir_level);
 
++		return -1;
 
++	}
 
++
 
++	if (name_level >= ms->name_recursion) {
 
++		file_error(ms, 0, "name recursion nesting (%hu) exceeded",
 
++		    name_level);
 
+ 		return -1;
 
+ 	}
 
+ 
+@@ -1619,7 +1625,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 			return -1;
 
+ 
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
 
+-		    recursion_level, BINTEST, text);
 
++		    indir_level + 1, name_level, BINTEST, text);
 
+ 
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);

+ 262 - 0
debian/patches/TEMP-0000000-B67840.6.0056ec3.patch
View File 

@@ -0,0 +1,262 @@
 
+Subject: Add a limit to the number of times a name/use entries can be used
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Fri Nov 28 02:35:05 2014 +0000
 
+Origin: FILE5_20-37-g0056ec3
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/doc/file.man b/doc/file.man
 
+index e4ce958..8ea29ef 100644
 
+--- a/doc/file.man
 
++++ b/doc/file.man
 
+@@ -293,10 +293,11 @@ attempt to preserve the access time of files analyzed, to pretend that
 
+ never read them.
 
+ .It Fl P , Fl Fl parameter Ar name=value
 
+ Set various parameter limits.
 
+-.Bl -column "indir" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -offset indent
 
++.Bl -column "namenum" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -offset indent
 
+ .It Sy "Name" Ta Sy "Default" Ta Sy "Explanation"
 
+ .It Li indir Ta 15 Ta recursion limit for indirect magic
 
+ .It Li name Ta 40 Ta recursion limit for name/use magic
 
++.It Li namenum Ta 30 Ta use count limit for name/use magic
 
+ .It Li phnum Ta 128 Ta max ELF program sections processed
 
+ .It Li shnum Ta 32768 Ta max ELF sections processed
 
+ .El
 
+diff --git a/doc/libmagic.man b/doc/libmagic.man
 
+index ba06c9f..57ec7dc 100644
 
+--- a/doc/libmagic.man
 
++++ b/doc/libmagic.man
 
+@@ -262,6 +262,7 @@ library.
 
+ .It Sy "Parameter" Ta Sy "Type" Ta Sy "Default"
 
+ .It Li MAGIC_PARAM_INDIR_RECURSION Ta size_t Ta 15
 
+ .It Li MAGIC_PARAM_NAME_RECURSION Ta size_t Ta 40
 
++.It Li MAGIC_PARAM_NAME_MAX Ta size_t Ta 30
 
+ .It Li MAGIC_PARAM_PHNUM_MAX Ta size_t Ta 128
 
+ .It Li MAGIC_PARAM_SHNUM_MAX Ta size_t Ta 32768
 
+ .El
 
+@@ -277,6 +278,10 @@ parameter controls how many levels of recursion will be followed for
 
+ for name/use calls.
 
+ .Pp
 
+ The
 
++.Dv MAGIC_PARAM_NAME_MAX
 
++parameter controls the maximum number of calls for name/use.
 
++.Pp
 
++The
 
+ .Dv MAGIC_PARAM_PHNUM_MAX
 
+ parameter controls how many elf program sections will be processed.
 
+ .Pp
 
+diff --git a/src/ascmagic.c b/src/ascmagic.c
 
+index 9f4b012..3388682 100644
 
+--- a/src/ascmagic.c
 
++++ b/src/ascmagic.c
 
+@@ -147,7 +147,8 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
 
+ 		    == NULL)
 
+ 			goto done;
 
+ 		if ((rv = file_softmagic(ms, utf8_buf,
 
+-		    (size_t)(utf8_end - utf8_buf), 0, 0, TEXTTEST, text)) == 0)
 
++		    (size_t)(utf8_end - utf8_buf), 0, 0, NULL,
 
++		    TEXTTEST, text)) == 0)
 
+ 			rv = -1;
 
+ 	}
 
+ 
+diff --git a/src/file.c b/src/file.c
 
+index 4bb3102..702a613 100644
 
+--- a/src/file.c
 
++++ b/src/file.c
 
+@@ -126,6 +126,7 @@ private struct {
 
+ } pm[] = {
 
+ 	{ "indir",	MAGIC_PARAM_INDIR_RECURSION, 0 },
 
+ 	{ "name",	MAGIC_PARAM_NAME_RECURSION, 0 },
 
++	{ "namenum",	MAGIC_PARAM_NAME_MAX, 0 },
 
+ 	{ "phnum",	MAGIC_PARAM_PHNUM_MAX, 0 },
 
+ 	{ "shnum",	MAGIC_PARAM_SHNUM_MAX, 0 },
 
+ };
 
+diff --git a/src/file.h b/src/file.h
 
+index 237bc4d..6692b3a 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -382,12 +382,14 @@ struct magic_set {
 
+ 	union VALUETYPE ms_value;	/* either number or string */
 
+ 	uint16_t indir_recursion;
 
+ 	uint16_t name_recursion;
 
++	uint16_t name_max;
 
+ 	uint16_t shnum_max;
 
+ 	uint16_t phnum_max;
 
+ #define	FILE_INDIR_RECURSION	15
 
+ #define	FILE_NAME_RECURSION	40
 
+-#define FILE_ELF_SHNUM		32768
 
+-#define FILE_ELF_PHNUM		128
 
++#define	FILE_NAME_MAX		30
 
++#define	FILE_ELF_SHNUM		32768
 
++#define	FILE_ELF_PHNUM		128
 
+ };
 
+ 
+ /* Type for Unicode characters */
 
+@@ -422,7 +424,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
 
+     unichar **, size_t *, const char **, const char **, const char **);
 
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
 
+-    uint16_t, uint16_t, int, int);
 
++    uint16_t, uint16_t, uint16_t *, int, int);
 
+ protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
 
+     uint64_t);
 
+diff --git a/src/funcs.c b/src/funcs.c
 
+index 88e77ef..91b11fc 100644
 
+--- a/src/funcs.c
 
++++ b/src/funcs.c
 
+@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((unu
 
+ 
+ 	/* try soft magic tests */
 
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
 
+-		if ((m = file_softmagic(ms, ubuf, nb, 0, 0, BINTEST,
 
++		if ((m = file_softmagic(ms, ubuf, nb, 0, 0, NULL, BINTEST,
 
+ 		    looks_text)) != 0) {
 
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
 
+diff --git a/src/magic.c b/src/magic.c
 
+index aa812df..f2bdae5 100644
 
+--- a/src/magic.c
 
++++ b/src/magic.c
 
+@@ -235,6 +235,7 @@ magic_open(int flags)
 
+ 	ms->line = 0;
 
+ 	ms->indir_recursion = FILE_INDIR_RECURSION;
 
+ 	ms->name_recursion = FILE_NAME_RECURSION;
 
++	ms->name_max = FILE_NAME_MAX;
 
+ 	ms->shnum_max = FILE_ELF_SHNUM;
 
+ 	ms->phnum_max = FILE_ELF_PHNUM;
 
+ 	return ms;
 
+@@ -526,6 +527,9 @@ magic_setparam(struct magic_set *ms, int param, const void *val)
 
+ 	case MAGIC_PARAM_NAME_RECURSION:
 
+ 		ms->name_recursion = *(const size_t *)val;
 
+ 		return 0;
 
++	case MAGIC_PARAM_NAME_MAX:
 
++		ms->name_max = *(const size_t *)val;
 
++		return 0;
 
+ 	case MAGIC_PARAM_PHNUM_MAX:
 
+ 		ms->phnum_max = *(const size_t *)val;
 
+ 		return 0;
 
+@@ -548,6 +552,9 @@ magic_getparam(struct magic_set *ms, int param, void *val)
 
+ 	case MAGIC_PARAM_NAME_RECURSION:
 
+ 		*(size_t *)val = ms->name_recursion;
 
+ 		return 0;
 
++	case MAGIC_PARAM_NAME_MAX:
 
++		*(size_t *)val = ms->name_max;
 
++		return 0;
 
+ 	case MAGIC_PARAM_PHNUM_MAX:
 
+ 		*(size_t *)val = ms->phnum_max;
 
+ 		return 0;
 
+diff --git a/src/magic.h b/src/magic.h
 
+index 20c05c1..c2667cc 100644
 
+--- a/src/magic.h
 
++++ b/src/magic.h
 
+@@ -101,8 +101,9 @@ int magic_errno(magic_t);
 
+ 
+ #define MAGIC_PARAM_INDIR_RECURSION	0
 
+ #define MAGIC_PARAM_NAME_RECURSION	1
 
+-#define MAGIC_PARAM_PHNUM_MAX		2
 
+-#define MAGIC_PARAM_SHNUM_MAX		3
 
++#define MAGIC_PARAM_NAME_MAX		2
 
++#define MAGIC_PARAM_PHNUM_MAX		3
 
++#define MAGIC_PARAM_SHNUM_MAX		4
 
+ 
+ int magic_setparam(magic_t, int, const void *);
 
+ int magic_getparam(magic_t, int, void *);
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index d507e11..6e94ae9 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11/05 15:44:22 rrt Exp $")
 
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
 
+-    const unsigned char *, size_t, int, int, uint16_t, uint16_t);
 
++    const unsigned char *, size_t, int, int, uint16_t, uint16_t, uint16_t *);
 
+ private int mget(struct magic_set *, const unsigned char *,
 
+-    struct magic *, size_t, unsigned int, int, uint16_t, uint16_t);
 
++    struct magic *, size_t, unsigned int, int, uint16_t, uint16_t, uint16_t *);
 
+ private int magiccheck(struct magic_set *, struct magic *);
 
+ private int32_t mprint(struct magic_set *, struct magic *);
 
+ private int32_t moffset(struct magic_set *, struct magic *);
 
+@@ -69,13 +69,20 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
 
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
 
+ protected int
 
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+-    uint16_t indir_level, uint16_t name_level, int mode, int text)
 
++    uint16_t indir_level, uint16_t name_level, uint16_t *name_count,
 
++	int mode, int text)
 
+ {
 
+ 	struct mlist *ml;
 
++	uint16_t nc;
 
++	if (name_count == NULL) {
 
++		nc = 0;
 
++		name_count = &nc;
 
++	}
 
++
 
+ 	int rv;
 
+ 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
 
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
 
+-		    text, indir_level, name_level)) != 0)
 
++		    text, indir_level, name_level, name_count)) != 0)
 
+ 			return rv;
 
+ 
+ 	return 0;
 
+@@ -111,7 +118,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+ private int
 
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+     const unsigned char *s, size_t nbytes, int mode, int text,
 
+-    uint16_t indir_level, uint16_t name_level)
 
++    uint16_t indir_level, uint16_t name_level, uint16_t *name_count)
 
+ {
 
+ 	uint32_t magindex = 0;
 
+ 	unsigned int cont_level = 0;
 
+@@ -143,7 +150,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+ 		ms->line = m->lineno;
 
+ 
+ 		/* if main entry matches, print it... */
 
+-		switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level)) {
 
++		switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level, name_count)) {
 
+ 		case -1:
 
+ 			return -1;
 
+ 		case 0:
 
+@@ -226,7 +233,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+ 					continue;
 
+ 			}
 
+ #endif
 
+-			switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level)) {
 
++			switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level, name_count)) {
 
+ 			case -1:
 
+ 				return -1;
 
+ 			case 0:
 
+@@ -1042,7 +1049,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 
+ private int
 
+ mget(struct magic_set *ms, const unsigned char *s,
 
+     struct magic *m, size_t nbytes, unsigned int cont_level, int text,
 
+-    uint16_t indir_level, uint16_t name_level)
 
++    uint16_t indir_level, uint16_t name_level, uint16_t *name_count)
 
+ {
 
+ 	uint32_t offset = ms->offset;
 
+ 	file_pushbuf_t *pb;
 
+@@ -1062,6 +1069,12 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 		return -1;
 
+ 	}
 
+ 
++	if (*name_count >= ms->name_max) {
 
++		file_error(ms, 0, "name use count (%hu) exceeded",
 
++		    *name_count);
 
++		return -1;
 
++	}
 
++
 
+ 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset,
 
+ 	    (uint32_t)nbytes, m) == -1)
 
+ 		return -1;
 
+@@ -1625,7 +1638,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 			return -1;
 
+ 
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
 
+-		    indir_level + 1, name_level, BINTEST, text);
 
++		    indir_level + 1, name_level, name_count, BINTEST, text);
 
+ 
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);

+ 28 - 0
debian/patches/TEMP-0000000-B67840.7.09e4162.patch
View File 

@@ -0,0 +1,28 @@
 
+Subject: Put the changes in the original file not the generated file
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Mon Dec 1 13:50:58 2014 +0000
 
+Origin: FILE5_20-40-g09e4162
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/magic.h b/src/magic.h
 
+index c2667cc..4aec3c5 100644
 
+--- a/src/magic.h
 
++++ b/src/magic.h
 
+@@ -99,11 +99,10 @@ int magic_check(magic_t, const char *);
 
+ int magic_list(magic_t, const char *);
 
+ int magic_errno(magic_t);
 
+ 
+-#define MAGIC_PARAM_INDIR_RECURSION	0
 
+-#define MAGIC_PARAM_NAME_RECURSION	1
 
+-#define MAGIC_PARAM_NAME_MAX		2
 
+-#define MAGIC_PARAM_PHNUM_MAX		3
 
+-#define MAGIC_PARAM_SHNUM_MAX		4
 
++#define MAGIC_PARAM_INDIR_MAX		0
 
++#define MAGIC_PARAM_NAME_MAX		1
 
++#define MAGIC_PARAM_ELF_PHNUM_MAX	2
 
++#define MAGIC_PARAM_ELF_SHNUM_MAX	3
 
+ 
+ int magic_setparam(magic_t, int, const void *);
 
+ int magic_getparam(magic_t, int, void *);

+ 346 - 0
debian/patches/TEMP-0000000-B67840.8.af444af.patch
View File 

@@ -0,0 +1,346 @@
 
+Subject: Remove name recursion limit, it is always lower than the count... Rename things for consistency
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Fri Nov 28 02:46:39 2014 +0000
 
+Origin: FILE5_20-38-gaf444af
 
+Last-Update: 2015-01-05
 
+
 
+    Remove name recursion limit, it is always lower than the count... Rename
 
+    things for consistency.
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/doc/file.man b/doc/file.man
 
+index 8ea29ef..dd80d08 100644
 
+--- a/doc/file.man
 
++++ b/doc/file.man
 
+@@ -293,13 +293,12 @@ attempt to preserve the access time of files analyzed, to pretend that
 
+ never read them.
 
+ .It Fl P , Fl Fl parameter Ar name=value
 
+ Set various parameter limits.
 
+-.Bl -column "namenum" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -offset indent
 
++.Bl -column "elf_phnum" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -offset indent
 
+ .It Sy "Name" Ta Sy "Default" Ta Sy "Explanation"
 
+ .It Li indir Ta 15 Ta recursion limit for indirect magic
 
+-.It Li name Ta 40 Ta recursion limit for name/use magic
 
+-.It Li namenum Ta 30 Ta use count limit for name/use magic
 
+-.It Li phnum Ta 128 Ta max ELF program sections processed
 
+-.It Li shnum Ta 32768 Ta max ELF sections processed
 
++.It Li name Ta 30 Ta use count limit for name/use magic
 
++.It Li elf_phnum Ta 128 Ta max ELF program sections processed
 
++.It Li elf_shnum Ta 32768 Ta max ELF sections processed
 
+ .El
 
+ .It Fl r , Fl Fl raw
 
+ Don't translate unprintable characters to \eooo.
 
+diff --git a/doc/libmagic.man b/doc/libmagic.man
 
+index 57ec7dc..d45e3c8 100644
 
+--- a/doc/libmagic.man
 
++++ b/doc/libmagic.man
 
+@@ -258,13 +258,12 @@ and
 
+ .Fn magic_setparam
 
+ allow getting and setting various limits related to the the magic
 
+ library.
 
+-.Bl -column "MAGIC_PARAM_INDIR_RECURSION" "size_t" "Default" -offset indent
 
++.Bl -column "MAGIC_PARAM_ELF_PHNUM_MAX" "size_t" "Default" -offset indent
 
+ .It Sy "Parameter" Ta Sy "Type" Ta Sy "Default"
 
+-.It Li MAGIC_PARAM_INDIR_RECURSION Ta size_t Ta 15
 
+-.It Li MAGIC_PARAM_NAME_RECURSION Ta size_t Ta 40
 
++.It Li MAGIC_PARAM_INDIR_MAX Ta size_t Ta 15
 
+ .It Li MAGIC_PARAM_NAME_MAX Ta size_t Ta 30
 
+-.It Li MAGIC_PARAM_PHNUM_MAX Ta size_t Ta 128
 
+-.It Li MAGIC_PARAM_SHNUM_MAX Ta size_t Ta 32768
 
++.It Li MAGIC_PARAM_ELF_PHNUM_MAX Ta size_t Ta 128
 
++.It Li MAGIC_PARAM_ELF_SHNUM_MAX Ta size_t Ta 32768
 
+ .El
 
+ .Pp
 
+ The
 
+diff --git a/src/ascmagic.c b/src/ascmagic.c
 
+index 3388682..463c614 100644
 
+--- a/src/ascmagic.c
 
++++ b/src/ascmagic.c
 
+@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
 
+ 		    == NULL)
 
+ 			goto done;
 
+ 		if ((rv = file_softmagic(ms, utf8_buf,
 
+-		    (size_t)(utf8_end - utf8_buf), 0, 0, NULL,
 
++		    (size_t)(utf8_end - utf8_buf), 0, NULL,
 
+ 		    TEXTTEST, text)) == 0)
 
+ 			rv = -1;
 
+ 	}
 
+diff --git a/src/elfclass.h b/src/elfclass.h
 
+index bda53b3..e144d11 100644
 
+--- a/src/elfclass.h
 
++++ b/src/elfclass.h
 
+@@ -36,7 +36,7 @@
 
+ #ifdef ELFCORE
 
+ 	case ET_CORE:
 
+ 		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
+-		if (phnum > ms->phnum_max)
 
++		if (phnum > ms->elf_phnum_max)
 
+ 			return toomany(ms, "program", phnum);
 
+ 		flags |= FLAGS_IS_CORE;
 
+ 		if (dophn_core(ms, clazz, swap, fd,
 
+@@ -49,10 +49,10 @@
 
+ 	case ET_EXEC:
 
+ 	case ET_DYN:
 
+ 		phnum = elf_getu16(swap, elfhdr.e_phnum);
 
+-		if (phnum > ms->phnum_max)
 
++		if (phnum > ms->elf_phnum_max)
 
+ 			return toomany(ms, "program", phnum);
 
+ 		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
+-		if (shnum > ms->shnum_max)
 
++		if (shnum > ms->elf_shnum_max)
 
+ 			return toomany(ms, "section", shnum);
 
+ 		if (dophn_exec(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
 
+@@ -62,7 +62,7 @@
 
+ 		/*FALLTHROUGH*/
 
+ 	case ET_REL:
 
+ 		shnum = elf_getu16(swap, elfhdr.e_shnum);
 
+-		if (shnum > ms->shnum_max)
 
++		if (shnum > ms->elf_shnum_max)
 
+ 			return toomany(ms, "section", shnum);
 
+ 		if (doshn(ms, clazz, swap, fd,
 
+ 		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
 
+diff --git a/src/file.c b/src/file.c
 
+index 702a613..5ce08aa 100644
 
+--- a/src/file.c
 
++++ b/src/file.c
 
+@@ -124,11 +124,10 @@ private struct {
 
+ 	int tag;
 
+ 	size_t value;
 
+ } pm[] = {
 
+-	{ "indir",	MAGIC_PARAM_INDIR_RECURSION, 0 },
 
+-	{ "name",	MAGIC_PARAM_NAME_RECURSION, 0 },
 
+-	{ "namenum",	MAGIC_PARAM_NAME_MAX, 0 },
 
+-	{ "phnum",	MAGIC_PARAM_PHNUM_MAX, 0 },
 
+-	{ "shnum",	MAGIC_PARAM_SHNUM_MAX, 0 },
 
++	{ "indir",	MAGIC_PARAM_INDIR_MAX, 0 },
 
++	{ "name",	MAGIC_PARAM_NAME_MAX, 0 },
 
++	{ "elf_phnum",	MAGIC_PARAM_ELF_PHNUM_MAX, 0 },
 
++	{ "elf_shnum",	MAGIC_PARAM_ELF_SHNUM_MAX, 0 },
 
+ };
 
+ 
+ private char *progname;		/* used throughout 		*/
 
+diff --git a/src/file.h b/src/file.h
 
+index 6692b3a..67331e0 100644
 
+--- a/src/file.h
 
++++ b/src/file.h
 
+@@ -380,16 +380,14 @@ struct magic_set {
 
+ 	/* FIXME: Make the string dynamically allocated so that e.g.
 
+ 	   strings matched in files can be longer than MAXstring */
 
+ 	union VALUETYPE ms_value;	/* either number or string */
 
+-	uint16_t indir_recursion;
 
+-	uint16_t name_recursion;
 
++	uint16_t indir_max;
 
+ 	uint16_t name_max;
 
+-	uint16_t shnum_max;
 
+-	uint16_t phnum_max;
 
+-#define	FILE_INDIR_RECURSION	15
 
+-#define	FILE_NAME_RECURSION	40
 
+-#define	FILE_NAME_MAX		30
 
+-#define	FILE_ELF_SHNUM		32768
 
+-#define	FILE_ELF_PHNUM		128
 
++	uint16_t elf_shnum_max;
 
++	uint16_t elf_phnum_max;
 
++#define	FILE_INDIR_MAX			15
 
++#define	FILE_NAME_MAX			30
 
++#define	FILE_ELF_SHNUM_MAX		32768
 
++#define	FILE_ELF_PHNUM_MAX		128
 
+ };
 
+ 
+ /* Type for Unicode characters */
 
+@@ -424,7 +422,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
 
+     unichar **, size_t *, const char **, const char **, const char **);
 
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
 
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
 
+-    uint16_t, uint16_t, uint16_t *, int, int);
 
++    uint16_t, uint16_t *, int, int);
 
+ protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
 
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
 
+     uint64_t);
 
+diff --git a/src/funcs.c b/src/funcs.c
 
+index 91b11fc..e7d2bb8 100644
 
+--- a/src/funcs.c
 
++++ b/src/funcs.c
 
+@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((unu
 
+ 
+ 	/* try soft magic tests */
 
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
 
+-		if ((m = file_softmagic(ms, ubuf, nb, 0, 0, NULL, BINTEST,
 
++		if ((m = file_softmagic(ms, ubuf, nb, 0, NULL, BINTEST,
 
+ 		    looks_text)) != 0) {
 
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
 
+diff --git a/src/magic.c b/src/magic.c
 
+index f2bdae5..3aa3474 100644
 
+--- a/src/magic.c
 
++++ b/src/magic.c
 
+@@ -233,11 +233,10 @@ magic_open(int flags)
 
+ 	ms->mlist = NULL;
 
+ 	ms->file = "unknown";
 
+ 	ms->line = 0;
 
+-	ms->indir_recursion = FILE_INDIR_RECURSION;
 
+-	ms->name_recursion = FILE_NAME_RECURSION;
 
++	ms->indir_max = FILE_INDIR_MAX;
 
+ 	ms->name_max = FILE_NAME_MAX;
 
+-	ms->shnum_max = FILE_ELF_SHNUM;
 
+-	ms->phnum_max = FILE_ELF_PHNUM;
 
++	ms->elf_shnum_max = FILE_ELF_SHNUM_MAX;
 
++	ms->elf_phnum_max = FILE_ELF_PHNUM_MAX;
 
+ 	return ms;
 
+ free:
 
+ 	free(ms);
 
+@@ -521,20 +520,17 @@ public int
 
+ magic_setparam(struct magic_set *ms, int param, const void *val)
 
+ {
 
+ 	switch (param) {
 
+-	case MAGIC_PARAM_INDIR_RECURSION:
 
+-		ms->indir_recursion = *(const size_t *)val;
 
+-		return 0;
 
+-	case MAGIC_PARAM_NAME_RECURSION:
 
+-		ms->name_recursion = *(const size_t *)val;
 
++	case MAGIC_PARAM_INDIR_MAX:
 
++		ms->indir_max = *(const size_t *)val;
 
+ 		return 0;
 
+ 	case MAGIC_PARAM_NAME_MAX:
 
+ 		ms->name_max = *(const size_t *)val;
 
+ 		return 0;
 
+-	case MAGIC_PARAM_PHNUM_MAX:
 
+-		ms->phnum_max = *(const size_t *)val;
 
++	case MAGIC_PARAM_ELF_PHNUM_MAX:
 
++		ms->elf_phnum_max = *(const size_t *)val;
 
+ 		return 0;
 
+-	case MAGIC_PARAM_SHNUM_MAX:
 
+-		ms->shnum_max = *(const size_t *)val;
 
++	case MAGIC_PARAM_ELF_SHNUM_MAX:
 
++		ms->elf_shnum_max = *(const size_t *)val;
 
+ 		return 0;
 
+ 	default:
 
+ 		errno = EINVAL;
 
+@@ -546,20 +542,17 @@ public int
 
+ magic_getparam(struct magic_set *ms, int param, void *val)
 
+ {
 
+ 	switch (param) {
 
+-	case MAGIC_PARAM_INDIR_RECURSION:
 
+-		*(size_t *)val = ms->indir_recursion;
 
+-		return 0;
 
+-	case MAGIC_PARAM_NAME_RECURSION:
 
+-		*(size_t *)val = ms->name_recursion;
 
++	case MAGIC_PARAM_INDIR_MAX:
 
++		*(size_t *)val = ms->indir_max;
 
+ 		return 0;
 
+ 	case MAGIC_PARAM_NAME_MAX:
 
+ 		*(size_t *)val = ms->name_max;
 
+ 		return 0;
 
+-	case MAGIC_PARAM_PHNUM_MAX:
 
+-		*(size_t *)val = ms->phnum_max;
 
++	case MAGIC_PARAM_ELF_PHNUM_MAX:
 
++		*(size_t *)val = ms->elf_phnum_max;
 
+ 		return 0;
 
+-	case MAGIC_PARAM_SHNUM_MAX:
 
+-		*(size_t *)val = ms->shnum_max;
 
++	case MAGIC_PARAM_ELF_SHNUM_MAX:
 
++		*(size_t *)val = ms->elf_shnum_max;
 
+ 		return 0;
 
+ 	default:
 
+ 		errno = EINVAL;
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index 6e94ae9..9a13acb 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11/05 15:44:22 rrt Exp $")
 
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
 
+-    const unsigned char *, size_t, int, int, uint16_t, uint16_t, uint16_t *);
 
++    const unsigned char *, size_t, int, int, uint16_t, uint16_t *);
 
+ private int mget(struct magic_set *, const unsigned char *,
 
+-    struct magic *, size_t, unsigned int, int, uint16_t, uint16_t, uint16_t *);
 
++    struct magic *, size_t, unsigned int, int, uint16_t, uint16_t *);
 
+ private int magiccheck(struct magic_set *, struct magic *);
 
+ private int32_t mprint(struct magic_set *, struct magic *);
 
+ private int32_t moffset(struct magic_set *, struct magic *);
 
+@@ -69,8 +69,7 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
 
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
 
+ protected int
 
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+-    uint16_t indir_level, uint16_t name_level, uint16_t *name_count,
 
+-	int mode, int text)
 
++    uint16_t indir_level, uint16_t *name_count, int mode, int text)
 
+ {
 
+ 	struct mlist *ml;
 
+ 	uint16_t nc;
 
+@@ -82,7 +81,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+ 	int rv;
 
+ 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
 
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
 
+-		    text, indir_level, name_level, name_count)) != 0)
 
++		    text, indir_level, name_count)) != 0)
 
+ 			return rv;
 
+ 
+ 	return 0;
 
+@@ -118,7 +117,7 @@ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
 
+ private int
 
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+     const unsigned char *s, size_t nbytes, int mode, int text,
 
+-    uint16_t indir_level, uint16_t name_level, uint16_t *name_count)
 
++    uint16_t indir_level, uint16_t *name_count)
 
+ {
 
+ 	uint32_t magindex = 0;
 
+ 	unsigned int cont_level = 0;
 
+@@ -150,7 +149,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+ 		ms->line = m->lineno;
 
+ 
+ 		/* if main entry matches, print it... */
 
+-		switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level, name_count)) {
 
++		switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_count)) {
 
+ 		case -1:
 
+ 			return -1;
 
+ 		case 0:
 
+@@ -233,7 +232,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
 
+ 					continue;
 
+ 			}
 
+ #endif
 
+-			switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_level, name_count)) {
 
++			switch (mget(ms, s, m, nbytes, cont_level, text, indir_level, name_count)) {
 
+ 			case -1:
 
+ 				return -1;
 
+ 			case 0:
 
+@@ -1049,7 +1048,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 
+ private int
 
+ mget(struct magic_set *ms, const unsigned char *s,
 
+     struct magic *m, size_t nbytes, unsigned int cont_level, int text,
 
+-    uint16_t indir_level, uint16_t name_level, uint16_t *name_count)
 
++    uint16_t indir_level, uint16_t *name_count)
 
+ {
 
+ 	uint32_t offset = ms->offset;
 
+ 	file_pushbuf_t *pb;
 
+@@ -1057,18 +1056,12 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 	char *rbuf;
 
+ 	union VALUETYPE *p = &ms->ms_value;
 
+ 
+-	if (indir_level >= ms->indir_recursion) {
 
++	if (indir_level >= ms->indir_max) {
 
+ 		file_error(ms, 0, "indirect recursion nesting (%hu) exceeded",
 
+ 		    indir_level);
 
+ 		return -1;
 
+ 	}
 
+ 
+-	if (name_level >= ms->name_recursion) {
 
+-		file_error(ms, 0, "name recursion nesting (%hu) exceeded",
 
+-		    name_level);
 
+-		return -1;
 
+-	}
 
+-
 
+ 	if (*name_count >= ms->name_max) {
 
+ 		file_error(ms, 0, "name use count (%hu) exceeded",
 
+ 		    *name_count);
 
+@@ -1638,7 +1631,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 
+ 			return -1;
 
+ 
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
 
+-		    indir_level + 1, name_level, name_count, BINTEST, text);
 
++		    indir_level + 1, name_count, BINTEST, text);
 
+ 
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
 
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);

+ 59 - 0
debian/patches/TEMP-0000000-B67840.9.68bd843.patch
View File 

@@ -0,0 +1,59 @@
 
+Subject: Only trust sizes of regular files
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Tue Dec 9 02:46:38 2014 +0000
 
+Origin: FILE5_20-47-g68bd843
 
+Last-Update: 2015-01-05
 
+
 
+(prequisite for TEMP-0000000-B67840)
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index f6b6824..fd4a19f 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -62,6 +62,7 @@ private uint64_t getu64(int, uint64_t);
 
+ 
+ #define MAX_PHNUM	128
 
+ #define	MAX_SHNUM	32768
 
++#define SIZE_UNKNOWN	((off_t)-1)
 
+ 
+ private int
 
+ toomany(struct magic_set *ms, const char *name, uint16_t num)
 
+@@ -332,7 +333,7 @@ dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 		}
 
+ 		off += size;
 
+ 
+-		if (xph_offset > fsize) {
 
++		if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
 
+ 			/* Perhaps warn here */
 
+ 			continue;
 
+ 		}
 
+@@ -963,7 +964,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num,
 
+ 			stripped = 0;
 
+ 			break;
 
+ 		default:
 
+-			if (xsh_offset > fsize) {
 
++			if (fsize != SIZE_UNKNOWN && xsh_offset > fsize) {
 
+ 				/* Perhaps warn here */
 
+ 				continue;
 
+ 			}
 
+@@ -1148,7 +1149,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 
+ 			shared_libraries = " (uses shared libs)";
 
+ 			break;
 
+ 		default:
 
+-			if (xph_offset > fsize) {
 
++			if (fsize != SIZE_UNKNOWN && xph_offset > fsize) {
 
+ 				/* Maybe warn here? */
 
+ 				continue;
 
+ 			}
 
+@@ -1241,7 +1242,10 @@ file_tryelf(struct magic_set *ms, int fd, const unsigned char *buf,
 
+   		file_badread(ms);
 
+ 		return -1;
 
+ 	}
 
+-	fsize = st.st_size;
 
++	if (S_ISREG(st.st_mode))
 
++		fsize = st.st_size;
 
++	else
 
++		fsize = SIZE_UNKNOWN;
 
+ 
+ 	clazz = buf[EI_CLASS];
 
+

+ 34 - 0
debian/patches/TEMP-0000000-C482B4.59e6383.patch
View File 

@@ -0,0 +1,34 @@
 
+Subject: PR/398: Correctly truncate pascal strings (fixes out of bounds read of 1, 2, or 4 bytes)
 
+ID: TEMP-0000000-C482B4
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Tue Nov 11 17:48:23 2014 +0000
 
+Origin: FILE5_20-21-g59e6383
 
+Last-Update: 2015-01-05
 
+
 
+    PR/398: Correctly truncate pascal strings (fixes out of bounds read of 1, 2,
 
+    or 4 bytes).
 
+
 
+diff --git a/src/softmagic.c b/src/softmagic.c
 
+index 82603bf..72eae4b 100644
 
+--- a/src/softmagic.c
 
++++ b/src/softmagic.c
 
+@@ -803,14 +803,17 @@ mconvert(struct magic_set *ms, struct magic *m)
 
+ 		size_t sz = file_pstring_length_size(m);
 
+ 		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
 
+ 		size_t len = file_pstring_get_length(m, ptr1);
 
+-		if (len >= sizeof(p->s)) {
 
++		sz = sizeof(p->s) - sz; /* maximum length of string */
 
++		if (len >= sz) {
 
+ 			/*
 
+ 			 * The size of the pascal string length (sz)
 
+ 			 * is 1, 2, or 4. We need at least 1 byte for NUL
 
+ 			 * termination, but we've already truncated the
 
+ 			 * string by p->s, so we need to deduct sz.
 
++			 * Because we can use one of the bytes of the length
 
++			 * after we shifted as NUL termination.
 
+ 			 */ 
+-			len = sizeof(p->s) - sz;
 
++			len = sz;
 
+ 		}
 
+ 		while (len--)
 
+ 			*ptr1++ = *ptr2++;

+ 48 - 0
debian/patches/TEMP-0000000-E110B2.65437ce.patch
View File 

@@ -0,0 +1,48 @@
 
+Subject: Limit string printing to 100 chars, and add flags I forgot in the previous commit
 
+ID: TEMP-0000000-E110B2
 
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Tue Dec 16 23:29:42 2014 +0000
 
+Origin: FILE5_21-13-g65437ce
 
+Last-Update: 2015-01-05
 
+
 
+    Limit string printing to 100 chars, and add flags I forgot in the previous
 
+    commit.
 
+
 
+diff --git a/src/readelf.c b/src/readelf.c
 
+index e1cf692..fb2febb 100644
 
+--- a/src/readelf.c
 
++++ b/src/readelf.c
 
+@@ -906,19 +906,23 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+ 	}
 
+ 
+ 	if (namesz == 7 && strcmp((char *)&nbuf[noff], "NetBSD") == 0) {
 
++		if (descsz > 100)
 
++			descsz = 100;
 
+ 		switch (xnh_type) {
 
+ 	    	case NT_NETBSD_VERSION:
 
+ 			return size;
 
+ 		case NT_NETBSD_MARCH:
 
+ 			if (*flags & FLAGS_DID_NETBSD_MARCH)
 
+ 				return size;
 
+-			if (file_printf(ms, ", compiled for: %.*s", (int)descsz,
 
+-			    (const char *)&nbuf[doff]) == -1)
 
++			*flags |= FLAGS_DID_NETBSD_MARCH;
 
++			if (file_printf(ms, ", compiled for: %.*s",
 
++			    (int)descsz, (const char *)&nbuf[doff]) == -1)
 
+ 				return size;
 
+ 			break;
 
+ 		case NT_NETBSD_CMODEL:
 
+ 			if (*flags & FLAGS_DID_NETBSD_CMODEL)
 
+ 				return size;
 
++			*flags |= FLAGS_DID_NETBSD_CMODEL;
 
+ 			if (file_printf(ms, ", compiler model: %.*s",
 
+ 			    (int)descsz, (const char *)&nbuf[doff]) == -1)
 
+ 				return size;
 
+@@ -926,6 +930,7 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 
+ 		default:
 
+ 			if (*flags & FLAGS_DID_NETBSD_UNKNOWN)
 
+ 				return size;
 
++			*flags |= FLAGS_DID_NETBSD_UNKNOWN;
 
+ 			if (file_printf(ms, ", note=%u", xnh_type) == -1)
 
+ 				return size;
 
+ 			break;

+ 23 - 0
debian/patches/series
View File 

@@ -15,3 +15,26 @@ CVE-2014-3487.patch
 
 CVE-2014-3538.patch
 
 CVE-2014-3587.patch
 
 CVE-2014-3710.patch
 
+
 
+CVE-2014-8117.1.0de3251.patch
 
+TEMP-0000000-B67840.1.d68a455.patch
 
+TEMP-0000000-B67840.2.9b5bdd7.patch
 
+TEMP-0000000-B67840.3.c8451af.patch
 
+CVE-2014-8117.2.c0c0032.patch
 
+TEMP-0000000-C482B4.59e6383.patch
 
+CVE-2014-8116.1.b4c0114.patch
 
+CVE-2014-8116.2.d7cdad0.patch
 
+CVE-2014-8117.3.6f737dd.patch
 
+TEMP-0000000-B67840.4.8a90571.patch
 
+CVE-2014-8117.4.90018fe.patch
 
+CVE-2014-8117.5.5063ca3.patch
 
+TEMP-0000000-B67840.5.6ce24f3.patch
 
+TEMP-0000000-B67840.6.0056ec3.patch
 
+TEMP-0000000-B67840.7.09e4162.patch
 
+TEMP-0000000-B67840.8.af444af.patch
 
+CVE-2014-8117.6.6bf4527.patch
 
+TEMP-0000000-B67840.9.68bd843.patch
 
+TEMP-0000000-B67840.10.dddd3cd.patch
 
+TEMP-0000000-B67840.11.445c8fb.patch
 
+TEMP-0000000-B67840.12.ce90e05.patch
 
+TEMP-0000000-E110B2.65437ce.patch