Blob Blame History Raw
From 1803228597e82218a8c105e67975bc50e6f5bf0d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Wed, 22 Oct 2014 15:37:04 +0200
Subject: [PATCH] Fix bug #68283: fileinfo: out-of-bounds read in elf note
 headers

Upstream commit
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0

CVE -2014-3710
---
 ext/fileinfo/libmagic/readelf.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
index 1c3845f..bb6f70f 100644
--- a/ext/fileinfo/libmagic/readelf.c
+++ b/ext/fileinfo/libmagic/readelf.c
@@ -372,6 +372,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 	uint32_t namesz, descsz;
 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
 
+	if (xnh_sizeof + offset > size) {
+		/*
+		 * We're out of note headers.
+		 */
+		return xnh_sizeof + offset;
+	}
+
 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
 	offset += xnh_sizeof;
 
-- 
2.1.0