77 lines
2.1 KiB
Diff
77 lines
2.1 KiB
Diff
From 3a6f62e2b7a8929b2869a58864cb3e78b0583782 Mon Sep 17 00:00:00 2001
|
|
From: Christos Zoulas <christos@zoulas.com>
|
|
Date: Thu, 14 Feb 2019 00:25:59 +0000
|
|
Subject: [PATCH 143/185] Fix indirect offset overflow calculation (B. Watson)
|
|
|
|
---
|
|
src/softmagic.c | 24 +++++++++++++++++++++---
|
|
1 file changed, 20 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/softmagic.c b/src/softmagic.c
|
|
index 1612a56..7ecad2a 100644
|
|
--- a/src/softmagic.c
|
|
+++ b/src/softmagic.c
|
|
@@ -1528,39 +1528,57 @@ mget(struct magic_set *ms, struct magic *m, const struct buffer *b,
|
|
if (m->in_op & FILE_OPINDIRECT) {
|
|
const union VALUETYPE *q = CAST(const union VALUETYPE *,
|
|
((const void *)(s + offset + off)));
|
|
- if (OFFSET_OOB(nbytes, offset + off, sizeof(*q)))
|
|
- return 0;
|
|
switch (cvt_flip(m->in_type, flip)) {
|
|
case FILE_BYTE:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 1))
|
|
+ return 0;
|
|
off = SEXT(sgn,8,q->b);
|
|
break;
|
|
case FILE_SHORT:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 2))
|
|
+ return 0;
|
|
off = SEXT(sgn,16,q->h);
|
|
break;
|
|
case FILE_BESHORT:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 2))
|
|
+ return 0;
|
|
off = SEXT(sgn,16,BE16(q));
|
|
break;
|
|
case FILE_LESHORT:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 2))
|
|
+ return 0;
|
|
off = SEXT(sgn,16,LE16(q));
|
|
break;
|
|
case FILE_LONG:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 4))
|
|
+ return 0;
|
|
off = SEXT(sgn,32,q->l);
|
|
break;
|
|
case FILE_BELONG:
|
|
case FILE_BEID3:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 4))
|
|
+ return 0;
|
|
off = SEXT(sgn,32,BE32(q));
|
|
break;
|
|
case FILE_LEID3:
|
|
case FILE_LELONG:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 4))
|
|
+ return 0;
|
|
off = SEXT(sgn,32,LE32(q));
|
|
break;
|
|
case FILE_MELONG:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 4))
|
|
+ return 0;
|
|
off = SEXT(sgn,32,ME32(q));
|
|
break;
|
|
case FILE_BEQUAD:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 8))
|
|
+ return 0;
|
|
off = SEXT(sgn,64,BE64(q));
|
|
break;
|
|
case FILE_LEQUAD:
|
|
+ if (OFFSET_OOB(nbytes, offset + off, 8))
|
|
+ return 0;
|
|
off = SEXT(sgn,64,LE64(q));
|
|
break;
|
|
default:
|
|
--
|
|
1.8.3.1
|
|
|