From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Wed, 22 Oct 2014 15:37:04 +0200
Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
headers
Upstream commit
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
CVE -2014-3710
---
ext/fileinfo/libmagic/readelf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
index 1c3845f..bb6f70f 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -366,6 +366,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
uint32_t namesz, descsz;
unsigned char *nbuf = CAST(unsigned char *, vbuf);
+ if (xnh_sizeof + offset > size) {
+ /*
+ * We're out of note headers.
+ */
+ return xnh_sizeof + offset;
+ }
+
(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
offset += xnh_sizeof;
--
2.1.0