rpms/file/FC-6 file-4.19-hower.patch,NONE,1.1 file.spec,1.56,1.57

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Mar 30 09:01:41 UTC 2007 

Author: mbacovsk

Update of /cvs/dist/rpms/file/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv23601

Modified Files:
	file.spec 
Added Files:
	file-4.19-hower.patch 
Log Message:
* Fri Mar 30 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-2
- Resolves: #233164: CVE-2007-1536 file 4.20 fixes a heap 
  overflow in that can result in arbitrary code execution


file-4.19-hower.patch:
 file.h  |    2 +-
 funcs.c |   44 ++++++++++++++++++++++++++------------------
 magic.c |    3 +--
 3 files changed, 28 insertions(+), 21 deletions(-)

--- NEW FILE file-4.19-hower.patch ---
--- file-4.19.orig/src/magic.c
+++ file-4.19/src/magic.c
@@ -94,7 +94,7 @@
 		goto free1;
 	}
 
-	ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024);
+	ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024);
 	if (ms->o.buf == NULL)
 		goto free1;
 
@@ -106,7 +106,6 @@
 	if (ms->c.off == NULL)
 		goto free3;
 	
-	ms->o.len = 0;
 	ms->haderr = 0;
 	ms->error = -1;
 	ms->mlist = NULL;
only in patch2:
unchanged:
--- file-4.19.orig/src/file.h
+++ file-4.19/src/file.h
@@ -276,7 +276,7 @@
 	/* Accumulation buffer */
 	char *buf;
 	char *ptr;
-	size_t len;
+	size_t left;
 	size_t size;
 	/* Printable buffer */
 	char *pbuf;
only in patch2:
unchanged:
--- file-4.19.orig/src/funcs.c
+++ file-4.19/src/funcs.c
@@ -26,6 +26,7 @@
  */
 #include "file.h"
 #include "magic.h"
+#include <assert.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
@@ -52,28 +53,32 @@
 file_printf(struct magic_set *ms, const char *fmt, ...)
 {
 	va_list ap;
-	size_t len;
+	size_t len, size;
 	char *buf;
 
 	va_start(ap, fmt);
 
-	if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) {
+	if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) {
+		long diff;	/* XXX: really ptrdiff_t */
+
 		va_end(ap);
-		if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
-			file_oomem(ms, len + 1024);
+		size = (ms->o.size - ms->o.left) + len + 1024;
+		if ((buf = realloc(ms->o.buf, size)) == NULL) {
+			file_oomem(ms, size);
 			return -1;
 		}
-		ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+		diff = ms->o.ptr - ms->o.buf;
+		ms->o.ptr = buf + diff;
 		ms->o.buf = buf;
-		ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
-		ms->o.size = len + 1024;
+		ms->o.left = size - diff;
+		ms->o.size = size;
 
 		va_start(ap, fmt);
-		len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+		len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap);
 	}
-	ms->o.ptr += len;
-	ms->o.len -= len;
 	va_end(ap);
+	ms->o.ptr += len;
+	ms->o.left -= len;
 	return 0;
 }
 
@@ -172,8 +177,8 @@
 protected const char *
 file_getbuffer(struct magic_set *ms)
 {
-	char *nbuf, *op, *np;
-	size_t nsize;
+	char *pbuf, *op, *np;
+	size_t psize, len;
 
 	if (ms->haderr)
 		return NULL;
@@ -181,14 +186,17 @@
 	if (ms->flags & MAGIC_RAW)
 		return ms->o.buf;
 
-	nsize = ms->o.len * 4 + 1;
-	if (ms->o.psize < nsize) {
-		if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) {
-			file_oomem(ms, nsize);
+	len = ms->o.size - ms->o.left;
+	/* * 4 is for octal representation, + 1 is for NUL */
+	psize = len * 4 + 1;
+	assert(psize > len);
+	if (ms->o.psize < psize) {
+		if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
+			file_oomem(ms, psize);
 			return NULL;
 		}
-		ms->o.psize = nsize;
-		ms->o.pbuf = nbuf;
+		ms->o.psize = psize;
+		ms->o.pbuf = pbuf;
 	}
 
 #if defined(HAVE_WCHAR_H) && defined(HAVE_MBRTOWC) && defined(HAVE_WCWIDTH)


Index: file.spec
===================================================================
RCS file: /cvs/dist/rpms/file/FC-6/file.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- file.spec	26 Jan 2007 15:22:47 -0000	1.56
+++ file.spec	30 Mar 2007 09:01:38 -0000	1.57
@@ -3,7 +3,7 @@
 Summary: A utility for determining file types.
 Name: file
 Version: 4.19
-Release: 1%{dist}
+Release: 2%{dist}
 License: distributable
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -21,6 +21,7 @@
 Patch20: file-4.17-bash.patch
 Patch21: file-4.19-ELF.patch
 Patch22: file-4.19-ooffice.patch
+Patch23: file-4.19-hower.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: zlib-devel
 
@@ -48,6 +49,7 @@
 %patch20 -p1 -b .bash
 %patch21 -p1 -b .ELF
 %patch22 -p1 -b .ooffice
+%patch23 -p1 -b .hower
 
 iconv -f iso-8859-1 -t utf-8 < doc/libmagic.man > doc/libmagic.man_
 mv doc/libmagic.man_ doc/libmagic.man
@@ -93,7 +95,11 @@
 %{_libdir}/libmagic.*
 
 %changelog
-* Fri Jan 26 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-1.fc6
+* Fri Mar 30 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-2
+- Resolves: #233164: CVE-2007-1536 file 4.20 fixes a heap 
+  overflow in that can result in arbitrary code execution
+
+* Fri Jan 26 2007 Martin Bacovsky <mbacovsk at redhat.com> - 4.19-1
 - Resolves: #224334 - file does not recognize OpenOffice "native" formats
 - upgrade to new upstream 4.19
 - patch revision and cleaning

More information about the fedora-cvs-commits mailing list