cherry-pick.FILE5_35-49-g3a6f62e2.fix-indirect-offset-overflow-calculation-b.patch 1.9 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
  1. Subject: Fix indirect offset overflow calculation (B. Watson)
  2. Origin: FILE5_35-49-g3a6f62e2 <https://github.com/file/file/commit/FILE5_35-49-g3a6f62e2>
  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
  4. Date: Thu Feb 14 00:25:59 2019 +0000
  5. --- a/src/softmagic.c
  6. +++ b/src/softmagic.c
  7. @@ -1528,39 +1528,57 @@
  8. if (m->in_op & FILE_OPINDIRECT) {
  9. const union VALUETYPE *q = CAST(const union VALUETYPE *,
  10. ((const void *)(s + offset + off)));
  11. - if (OFFSET_OOB(nbytes, offset + off, sizeof(*q)))
  12. - return 0;
  13. switch (cvt_flip(m->in_type, flip)) {
  14. case FILE_BYTE:
  15. + if (OFFSET_OOB(nbytes, offset + off, 1))
  16. + return 0;
  17. off = SEXT(sgn,8,q->b);
  18. break;
  19. case FILE_SHORT:
  20. + if (OFFSET_OOB(nbytes, offset + off, 2))
  21. + return 0;
  22. off = SEXT(sgn,16,q->h);
  23. break;
  24. case FILE_BESHORT:
  25. + if (OFFSET_OOB(nbytes, offset + off, 2))
  26. + return 0;
  27. off = SEXT(sgn,16,BE16(q));
  28. break;
  29. case FILE_LESHORT:
  30. + if (OFFSET_OOB(nbytes, offset + off, 2))
  31. + return 0;
  32. off = SEXT(sgn,16,LE16(q));
  33. break;
  34. case FILE_LONG:
  35. + if (OFFSET_OOB(nbytes, offset + off, 4))
  36. + return 0;
  37. off = SEXT(sgn,32,q->l);
  38. break;
  39. case FILE_BELONG:
  40. case FILE_BEID3:
  41. + if (OFFSET_OOB(nbytes, offset + off, 4))
  42. + return 0;
  43. off = SEXT(sgn,32,BE32(q));
  44. break;
  45. case FILE_LEID3:
  46. case FILE_LELONG:
  47. + if (OFFSET_OOB(nbytes, offset + off, 4))
  48. + return 0;
  49. off = SEXT(sgn,32,LE32(q));
  50. break;
  51. case FILE_MELONG:
  52. + if (OFFSET_OOB(nbytes, offset + off, 4))
  53. + return 0;
  54. off = SEXT(sgn,32,ME32(q));
  55. break;
  56. case FILE_BEQUAD:
  57. + if (OFFSET_OOB(nbytes, offset + off, 8))
  58. + return 0;
  59. off = SEXT(sgn,64,BE64(q));
  60. break;
  61. case FILE_LEQUAD:
  62. + if (OFFSET_OOB(nbytes, offset + off, 8))
  63. + return 0;
  64. off = SEXT(sgn,64,LE64(q));
  65. break;
  66. default: