Blame SOURCES/file-5.11-CVE-2014-3710.patch

89be67
From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
89be67
From: Remi Collet <remi@php.net>
89be67
Date: Wed, 22 Oct 2014 15:37:04 +0200
89be67
Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
89be67
 headers
89be67
89be67
Upstream commit
89be67
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
89be67
89be67
CVE -2014-3710
89be67
---
89be67
 ext/fileinfo/libmagic/readelf.c | 7 +++++++
89be67
 1 file changed, 7 insertions(+)
89be67
89be67
diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
89be67
index 1c3845f..bb6f70f 100644
89be67
--- a/src/readelf.c
89be67
+++ b/src/readelf.c
89be67
@@ -366,6 +366,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
89be67
 	uint32_t namesz, descsz;
89be67
 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
89be67
 
89be67
+	if (xnh_sizeof + offset > size) {
89be67
+		/*
89be67
+		 * We're out of note headers.
89be67
+		 */
89be67
+		return xnh_sizeof + offset;
89be67
+	}
89be67
+
89be67
 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
89be67
 	offset += xnh_sizeof;
89be67
 
89be67
-- 
89be67
2.1.0
89be67