git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: 678af6b135
Branches Tags
file
/
debian
/
patches
/
cherry-pick.FILE5_35-53-gd6578152.pr-62-spinpx-limit-size-of-file-printable.patch

cherry-pick.FILE5_35-53-gd6578152.pr-62-spinpx-limit-size-of-file-printable.patch 3.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100 
  1. Subject: PR/62: spinpx: limit size of file_printable
    2. 

  2. ID: CVE-2019-8905 CVE-2019-8907
    3. 

  3. Origin: FILE5_35-53-gd6578152 <https://github.com/file/file/commit/FILE5_35-53-gd6578152>
    4. 

  4. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    5. 

  5. Date: Mon Feb 18 17:46:56 2019 +0000
    6. 

  6. Bug-Debian: https://bugs.debian.org/922968
    7. 

  7. 

  8. --- a/src/file.h
    9. 

  9. +++ b/src/file.h
    10. 

  10. @@ -506,7 +506,7 @@
    11. 

  11.      size_t *);
    12. 

  12.  protected size_t file_pstring_length_size(const struct magic *);
    13. 

  13.  protected size_t file_pstring_get_length(const struct magic *, const char *);
    14. 

  14. -protected char * file_printable(char *, size_t, const char *);
    15. 

  15. +protected char * file_printable(char *, size_t, const char *, size_t);
    16. 

  16.  #ifdef __EMX__
    17. 

  17.  protected int file_os2_apptype(struct magic_set *, const char *, const void *,
    18. 

  18.      size_t);
    19. 

  19. --- a/src/funcs.c
    20. 

  20. +++ b/src/funcs.c
    21. 

  21. @@ -623,12 +623,13 @@
    22. 

  22.   * convert string to ascii printable format.
    23. 

  23.   */
    24. 

  24.  protected char *
    25. 

  25. -file_printable(char *buf, size_t bufsiz, const char *str)
    26. 

  26. +file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
    27. 

  27.  {
    28. 

  28. -	char *ptr, *eptr;
    29. 

  29. +	char *ptr, *eptr = buf + bufsiz - 1;
    30. 

  30.  	const unsigned char *s = (const unsigned char *)str;
    31. 

  31. +	const unsigned char *es = s + slen;
    32. 

  32.  
    33. 

  33. -	for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
    34. 

  34. +	for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
    35. 

  35.  		if (isprint(*s)) {
    36. 

  36.  			*ptr++ = *s;
    37. 

  37.  			continue;
    38. 

  38. --- a/src/readelf.c
    39. 

  39. +++ b/src/readelf.c
    40. 

  40. @@ -757,7 +757,7 @@
    41. 

  41.  			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
    42. 

  42.  			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
    43. 

  43.  			    file_printable(sbuf, sizeof(sbuf),
    44. 

  44. -			    RCAST(char *, pi.cpi_name)),
    45. 

  45. +			    RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
    46. 

  46.  			    elf_getu32(swap, (uint32_t)pi.cpi_pid),
    47. 

  47.  			    elf_getu32(swap, pi.cpi_euid),
    48. 

  48.  			    elf_getu32(swap, pi.cpi_egid),
    49. 

  49. @@ -1697,7 +1697,8 @@
    50. 

  50.  		return -1;
    51. 

  51.  	if (interp[0])
    52. 

  52.  		if (file_printf(ms, ", interpreter %s",
    53. 

  53. -		    file_printable(ibuf, sizeof(ibuf), interp)) == -1)
    54. 

  54. +		    file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
    55. 

  55. +			== -1)
    56. 

  56.  			return -1;
    57. 

  57.  	return 0;
    58. 

  58.  }
    59. 

  59. --- a/src/softmagic.c
    60. 

  60. +++ b/src/softmagic.c
    61. 

  61. @@ -634,8 +634,8 @@
    62. 

  62.    	case FILE_LESTRING16:
    63. 

  63.  		if (m->reln == '=' || m->reln == '!') {
    64. 

  64.  			if (file_printf(ms, F(ms, desc, "%s"),
    65. 

  65. -			    file_printable(sbuf, sizeof(sbuf), m->value.s))
    66. 

  66. -			    == -1)
    67. 

  67. +			    file_printable(sbuf, sizeof(sbuf), m->value.s,
    68. 

  68. +			    sizeof(m->value.s))) == -1)
    69. 

  69.  				return -1;
    70. 

  70.  			t = ms->offset + m->vallen;
    71. 

  71.  		}
    72. 

  72. @@ -662,7 +662,8 @@
    73. 

  73.  			}
    74. 

  74.  
    75. 

  75.  			if (file_printf(ms, F(ms, desc, "%s"),
    76. 

  76. -			    file_printable(sbuf, sizeof(sbuf), str)) == -1)
    77. 

  77. +			    file_printable(sbuf, sizeof(sbuf), str,
    78. 

  78. +				sizeof(p->s) - (str - p->s))) == -1)
    79. 

  79.  				return -1;
    80. 

  80.  
    81. 

  81.  			if (m->type == FILE_PSTRING)
    82. 

  82. @@ -768,7 +769,7 @@
    83. 

  83.  			return -1;
    84. 

  84.  		}
    85. 

  85.  		rval = file_printf(ms, F(ms, desc, "%s"),
    86. 

  86. -		    file_printable(sbuf, sizeof(sbuf), cp));
    87. 

  87. +		    file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
    88. 

  88.  		free(cp);
    89. 

  89.  
    90. 

  90.  		if (rval == -1)
    91. 

  91. @@ -795,7 +796,8 @@
    92. 

  92.  		break;
    93. 

  93.  	case FILE_DER:
    94. 

  94.  		if (file_printf(ms, F(ms, desc, "%s"),
    95. 

  95. -		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
    96. 

  96. +		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
    97. 

  97. +			sizeof(ms->ms_value.s))) == -1)
    98. 

  98.  			return -1;
    99. 

  99.  		t = ms->offset;
    100. 

  100.  		break;
    101.