git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: 16ec0f902e
Branches Tags
file
/
debian
/
patches
/
CVE-2014-8117.3.6f737dd.patch

CVE-2014-8117.3.6f737dd.patch 3.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 
  1. Subject: Reduce recursion level from 20 to 10 and make a symbolic constant for it. (...)
    2. 

  2. ID: CVE-2014-8117
    3. 

  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Sun Nov 23 13:54:27 2014 +0000
    5. 

  5. Origin: FILE5_20-29-g6f737dd
    6. 

  6. Last-Update: 2015-01-09
    7. 

  7. 

  8.     - reduce recursion level from 20 to 10 and make a symbolic constant for it.
    9. 

  9.     - pull out the guts of saving and restoring the output buffer into functions
    10. 

  10.       and take care not to overwrite the error message if an error happened.
    11. 

  11. 

  12. --- a/src/file.h
    13. 

  13. +++ b/src/file.h
    14. 

  14. @@ -422,6 +422,14 @@
    15. 

  15.  #endif /* __EMX__ */
    16. 

  16.  
    17. 

  17.  
    18. 

  18. +typedef struct {
    19. 

  19. +	char *buf;
    20. 

  20. +	uint32_t offset;
    21. 

  21. +} file_pushbuf_t;
    22. 

  22. +
    23. 

  23. +protected file_pushbuf_t *file_push_buffer(struct magic_set *);
    24. 

  24. +protected char  *file_pop_buffer(struct magic_set *, file_pushbuf_t *);
    25. 

  25. +
    26. 

  26.  #ifndef COMPILE_ONLY
    27. 

  27.  extern const char *file_names[];
    28. 

  28.  extern const size_t file_nnames;
    29. 

  29. --- a/src/funcs.c
    30. 

  30. +++ b/src/funcs.c
    31. 

  31. @@ -424,3 +424,43 @@
    32. 

  32.  #endif /* ENABLE_CONDITIONALS */
    33. 

  33.  	return 0;
    34. 

  34.  }
    35. 

  35. +
    36. 

  36. +protected file_pushbuf_t *
    37. 

  37. +file_push_buffer(struct magic_set *ms)
    38. 

  38. +{
    39. 

  39. +	file_pushbuf_t *pb;
    40. 

  40. +
    41. 

  41. +	if (ms->event_flags & EVENT_HAD_ERR)
    42. 

  42. +		return NULL;
    43. 

  43. +
    44. 

  44. +	if ((pb = (CAST(file_pushbuf_t *, malloc(sizeof(*pb))))) == NULL)
    45. 

  45. +		return NULL;
    46. 

  46. +
    47. 

  47. +	pb->buf = ms->o.buf;
    48. 

  48. +	pb->offset = ms->offset;
    49. 

  49. +
    50. 

  50. +	ms->o.buf = NULL;
    51. 

  51. +	ms->offset = 0;
    52. 

  52. +
    53. 

  53. +	return pb;
    54. 

  54. +}
    55. 

  55. +
    56. 

  56. +protected char *
    57. 

  57. +file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
    58. 

  58. +{
    59. 

  59. +	char *rbuf;
    60. 

  60. +
    61. 

  61. +	if (ms->event_flags & EVENT_HAD_ERR) {
    62. 

  62. +		free(pb->buf);
    63. 

  63. +		free(pb);
    64. 

  64. +		return NULL;
    65. 

  65. +	}
    66. 

  66. +
    67. 

  67. +	rbuf = ms->o.buf;
    68. 

  68. +
    69. 

  69. +	ms->o.buf = pb->buf;
    70. 

  70. +	ms->offset = pb->offset;
    71. 

  71. +
    72. 

  72. +	free(pb);
    73. 

  73. +	return rbuf;
    74. 

  74. +}
    75. 

  75. --- a/src/softmagic.c
    76. 

  76. +++ b/src/softmagic.c
    77. 

  77. @@ -61,6 +61,9 @@
    78. 

  78.  private void cvt_64(union VALUETYPE *, const struct magic *);
    79. 

  79.  
    80. 

  80.  #define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
    81. 

  81. +
    82. 

  82. +#define MAX_RECURSION_LEVEL	10
    83. 

  83. +
    84. 

  84.  /*
    85. 

  85.   * softmagic - lookup one file in parsed, in-memory copy of database
    86. 

  86.   * Passed the name and FILE * of one file to be typed.
    87. 

  87. @@ -1049,11 +1052,12 @@
    88. 

  88.      struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
    89. 

  89.  {
    90. 

  90.  	uint32_t offset = ms->offset;
    91. 

  91. +	file_pushbuf_t *pb;
    92. 

  92.  	int rv;
    93. 

  93. -	char *sbuf, *rbuf;
    94. 

  94. +	char *rbuf;
    95. 

  95.  	union VALUETYPE *p = &ms->ms_value;
    96. 

  96.  
    97. 

  97. -        if (recursion_level >= 20) {
    98. 

  98. +	if (recursion_level >= MAX_RECURSION_LEVEL) {
    99. 

  99.                  file_error(ms, 0, "recursion nesting exceeded");
    100. 

  100.                  return -1;
    101. 

  101.          }
    102. 

  102. @@ -1614,17 +1618,23 @@
    103. 

  103.  	case FILE_INDIRECT:
    104. 

  104.  		if (offset == 0)
    105. 

  105.  			return 0;
    106. 

  106. +
    107. 

  107.  		if (nbytes < offset)
    108. 

  108.  			return 0;
    109. 

  109. -		sbuf = ms->o.buf;
    110. 

  110. -		ms->o.buf = NULL;
    111. 

  111. +
    112. 

  112. +		if ((pb = file_push_buffer(ms)) == NULL)
    113. 

  113. +			return -1;
    114. 

  114. +
    115. 

  115.  		rv = file_softmagic(ms, s + offset, nbytes - offset,
    116. 

  116.  		    recursion_level, BINTEST);
    117. 

  117.  		if ((ms->flags & MAGIC_DEBUG) != 0)
    118. 

  118.  			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
    119. 

  119. +
    120. 

  120. +		rbuf = file_pop_buffer(ms, pb);
    121. 

  121. +		if (rbuf == NULL)
    122. 

  122. +			return -1;
    123. 

  123. +
    124. 

  124.  		if (rv == 1) {
    125. 

  125. -			rbuf = ms->o.buf;
    126. 

  126. -			ms->o.buf = sbuf;
    127. 

  127.  			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
    128. 

  128.  			    file_printf(ms, m->desc, offset) == -1) {
    129. 

  129.  				free(rbuf);
    130. 

  130. @@ -1634,9 +1644,8 @@
    131. 

  131.  				free(rbuf);
    132. 

  132.  				return -1;
    133. 

  133.  			}
    134. 

  134. -			free(rbuf);
    135. 

  135. -		} else
    136. 

  136. -			ms->o.buf = sbuf;
    137. 

  137. +		}
    138. 

  138. +		free(rbuf);
    139. 

  139.  		return rv;
    140. 

  140.  
    141. 

  141.  	case FILE_DEFAULT:	/* nothing to check */
    142.