| 123456789101112131415161718192021222324252627 |
- From: Markus Koschany <apo@debian.org>
- Date: Sat, 7 May 2016 15:13:04 +0200
- Subject: CVE-2015-8865
- A malformed magic file can trigger a segmentation fault due to a buffer
- over-write in the file_check_mem function.
- Origin: https://bugs.php.net/bug.php?id=71527 (Original bug report)
- Origin: http://bugs.gw.com/view.php?id=522 (bug report for file)
- Origin: https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 (patch)
- ---
- src/funcs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/src/funcs.c b/src/funcs.c
- index e7d2bb8..0ed90ef 100644
- --- a/src/funcs.c
- +++ b/src/funcs.c
- @@ -410,7 +410,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
- size_t len;
-
- if (level >= ms->c.len) {
- - len = (ms->c.len += 20) * sizeof(*ms->c.li);
- + len = (ms->c.len = 20 + level) * sizeof(*ms->c.li);
- ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
- malloc(len) :
- realloc(ms->c.li, len));
|
