Fix for CVE-2014-3710 in file(1)

Matthias Pitzl Tue, 04 Nov 2014 07:17:15 -0800

Hello!

This patch fixes the CVE-2014-3710 for the file(1) tool.
Almost same patch has been applied upstream to devel/libmagic too:
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0


Greetings,
Matthias

--- usr.bin/file/readelf.c      Wed Oct 28 00:59:38 2009
+++ usr.bin/file/readelf.c      Tue Nov  4 16:03:33 2014
@@ -359,6 +359,13 @@ donote(struct magic_set *ms, unsigned char *nbuf, size
 #endif
        uint32_t namesz, descsz;
 
+       if (xnh_sizeof + offset > size) {
+               /*
+                * We're out of note headers.
+                */
+               return xnh_sizeof + offset;
+       }
+
        (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
        offset += xnh_sizeof;

Fix for CVE-2014-3710 in file(1)

Reply via email to