|
 |
435ea7 |
From 59e63838913eee47f5c120a6c53d4565af638158 Mon Sep 17 00:00:00 2001
|
|
|
435ea7 |
From: Christos Zoulas <christos@zoulas.com>
|
|
|
435ea7 |
Date: Tue, 11 Nov 2014 17:48:23 +0000
|
|
|
435ea7 |
Subject: [PATCH] PR/398: Correctly truncate pascal strings (fixes out of
|
|
|
435ea7 |
bounds read of 1, 2, or 4 bytes).
|
|
|
435ea7 |
|
|
|
435ea7 |
---
|
|
|
435ea7 |
src/softmagic.c | 9 ++++++---
|
|
|
435ea7 |
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
435ea7 |
|
|
|
435ea7 |
diff --git a/src/softmagic.c b/src/softmagic.c
|
|
|
435ea7 |
index dbb670a..2b15f2c 100644
|
|
|
435ea7 |
--- a/src/softmagic.c
|
|
|
435ea7 |
+++ b/src/softmagic.c
|
|
|
435ea7 |
@@ -822,14 +822,17 @@ mconvert(struct magic_set *ms, struct magic *m)
|
|
|
435ea7 |
size_t sz = file_pstring_length_size(m);
|
|
|
435ea7 |
char *ptr1 = p->s, *ptr2 = ptr1 + sz;
|
|
|
435ea7 |
size_t len = file_pstring_get_length(m, ptr1);
|
|
|
435ea7 |
- if (len >= sizeof(p->s)) {
|
|
|
435ea7 |
+ sz = sizeof(p->s) - sz; /* maximum length of string */
|
|
|
435ea7 |
+ if (len >= sz) {
|
|
|
435ea7 |
/*
|
|
|
435ea7 |
* The size of the pascal string length (sz)
|
|
|
435ea7 |
* is 1, 2, or 4. We need at least 1 byte for NUL
|
|
|
435ea7 |
* termination, but we've already truncated the
|
|
|
435ea7 |
* string by p->s, so we need to deduct sz.
|
|
|
435ea7 |
+ * Because we can use one of the bytes of the length
|
|
|
435ea7 |
+ * after we shifted as NUL termination.
|
|
|
435ea7 |
*/
|
|
|
435ea7 |
- len = sizeof(p->s) - sz;
|
|
|
435ea7 |
+ len = sz;
|
|
|
435ea7 |
}
|
|
|
435ea7 |
while (len--)
|
|
|
435ea7 |
*ptr1++ = *ptr2++;
|