|
 |
435ea7 |
From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001
|
|
|
435ea7 |
From: Remi Collet <remi@php.net>
|
|
|
435ea7 |
Date: Tue, 10 Jun 2014 14:02:36 +0200
|
|
|
435ea7 |
Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of
|
|
|
435ea7 |
truncated pascal string size
|
|
|
435ea7 |
|
|
|
435ea7 |
Upstream
|
|
|
435ea7 |
https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08
|
|
|
435ea7 |
---
|
|
|
435ea7 |
ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++---
|
|
|
435ea7 |
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
435ea7 |
|
|
|
435ea7 |
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
|
|
|
435ea7 |
index 21fea6b..01e4977 100644
|
|
|
435ea7 |
--- a/src/softmagic.c
|
|
|
435ea7 |
+++ b/src/softmagic.c
|
|
|
435ea7 |
@@ -818,10 +818,18 @@ mconvert(struct magic_set *ms, struct magic *m)
|
|
|
435ea7 |
return 1;
|
|
|
435ea7 |
}
|
|
|
435ea7 |
case FILE_PSTRING: {
|
|
|
435ea7 |
- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
|
|
|
435ea7 |
+ size_t sz = file_pstring_length_size(m);
|
|
|
435ea7 |
+ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
|
|
|
435ea7 |
size_t len = file_pstring_get_length(m, ptr1);
|
|
|
435ea7 |
- if (len >= sizeof(p->s))
|
|
|
435ea7 |
- len = sizeof(p->s) - 1;
|
|
|
435ea7 |
+ if (len >= sizeof(p->s)) {
|
|
|
435ea7 |
+ /*
|
|
|
435ea7 |
+ * The size of the pascal string length (sz)
|
|
|
435ea7 |
+ * is 1, 2, or 4. We need at least 1 byte for NUL
|
|
|
435ea7 |
+ * termination, but we've already truncated the
|
|
|
435ea7 |
+ * string by p->s, so we need to deduct sz.
|
|
|
435ea7 |
+ */
|
|
|
435ea7 |
+ len = sizeof(p->s) - sz;
|
|
|
435ea7 |
+ }
|
|
|
435ea7 |
while (len--)
|
|
|
435ea7 |
*ptr1++ = *ptr2++;
|
|
|
435ea7 |
*ptr1 = '\0';
|
|
|
435ea7 |
--
|
|
|
435ea7 |
1.9.2
|
|
|
435ea7 |
|