git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: squeeze/5.
Branches Tags
file
/
debian
/
patches
/
TEMP-0000000-C482B4.59e6383.patch

TEMP-0000000-C482B4.59e6383.patch 1.1 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132 
  1. Subject: PR/398: Correctly truncate pascal strings (fixes out of bounds read of 1, 2, or 4 bytes)
    2. 

  2. ID: TEMP-0000000-C482B4
    3. 

  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Tue Nov 11 17:48:23 2014 +0000
    5. 

  5. Origin: FILE5_20-21-g59e6383
    6. 

  6. Last-Update: 2015-01-09
    7. 

  7. 

  8.     PR/398: Correctly truncate pascal strings (fixes out of bounds read of 1, 2,
    9. 

  9.     or 4 bytes).
    10. 

  10. 

  11. --- a/src/softmagic.c
    12. 

  12. +++ b/src/softmagic.c
    13. 

  13. @@ -803,14 +803,17 @@
    14. 

  14.  		size_t sz = file_pstring_length_size(m);
    15. 

  15.  		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
    16. 

  16.  		size_t len = file_pstring_get_length(m, ptr1);
    17. 

  17. -		if (len >= sizeof(p->s)) {
    18. 

  18. +		sz = sizeof(p->s) - sz; /* maximum length of string */
    19. 

  19. +		if (len >= sz) {
    20. 

  20.  			/*
    21. 

  21.  			 * The size of the pascal string length (sz)
    22. 

  22.  			 * is 1, 2, or 4. We need at least 1 byte for NUL
    23. 

  23.  			 * termination, but we've already truncated the
    24. 

  24.  			 * string by p->s, so we need to deduct sz.
    25. 

  25. +			 * Because we can use one of the bytes of the length
    26. 

  26. +			 * after we shifted as NUL termination.
    27. 

  27.  			 */ 
    28. 

  28. -			len = sizeof(p->s) - sz;
    29. 

  29. +			len = sz;
    30. 

  30.  		}
    31. 

  31.  		while (len--)
    32. 

  32.  			*ptr1++ = *ptr2++;
    33.