Blame SOURCES/file-5.11-CVE-2014-3710.patch
|
|
89be67 |
From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
|
|
|
89be67 |
From: Remi Collet <remi@php.net>
|
|
|
89be67 |
Date: Wed, 22 Oct 2014 15:37:04 +0200
|
|
|
89be67 |
Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
|
|
|
89be67 |
headers
|
|
|
89be67 |
|
|
|
89be67 |
Upstream commit
|
|
|
89be67 |
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
|
|
|
89be67 |
|
|
|
89be67 |
CVE -2014-3710
|
|
|
89be67 |
---
|
|
|
89be67 |
ext/fileinfo/libmagic/readelf.c | 7 +++++++
|
|
|
89be67 |
1 file changed, 7 insertions(+)
|
|
|
89be67 |
|
|
|
89be67 |
diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
|
|
|
89be67 |
index 1c3845f..bb6f70f 100644
|
|
|
89be67 |
--- a/src/readelf.c
|
|
|
89be67 |
+++ b/src/readelf.c
|
|
|
89be67 |
@@ -366,6 +366,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
|
|
|
89be67 |
uint32_t namesz, descsz;
|
|
|
89be67 |
unsigned char *nbuf = CAST(unsigned char *, vbuf);
|
|
|
89be67 |
|
|
|
89be67 |
+ if (xnh_sizeof + offset > size) {
|
|
|
89be67 |
+ /*
|
|
|
89be67 |
+ * We're out of note headers.
|
|
|
89be67 |
+ */
|
|
|
89be67 |
+ return xnh_sizeof + offset;
|
|
|
89be67 |
+ }
|
|
|
89be67 |
+
|
|
|
89be67 |
(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
|
|
|
89be67 |
offset += xnh_sizeof;
|
|
|
89be67 |
|
|
|
89be67 |
--
|
|
|
89be67 |
2.1.0
|
|
|
89be67 |
|