Skip to content

Commit 4475585

Browse files
committed
PR/313: Aaron Reffett: Check properly for exceeding the offset.
1 parent f40883f commit 4475585

File tree

1 file changed

+18
-17
lines changed

1 file changed

+18
-17
lines changed

Diff for: src/softmagic.c

+18-17
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
#include "file.h"
3333

3434
#ifndef lint
35-
FILE_RCSID("@(#)$File: softmagic.c,v 1.170 2014/01/06 02:25:32 christos Exp $")
35+
FILE_RCSID("@(#)$File: softmagic.c,v 1.171 2014/01/08 22:02:06 christos Exp $")
3636
#endif /* lint */
3737

3838
#include "magic.h"
@@ -71,6 +71,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
7171
private void cvt_32(union VALUETYPE *, const struct magic *);
7272
private void cvt_64(union VALUETYPE *, const struct magic *);
7373

74+
#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) >= ((n) - (o)))
7475
/*
7576
* softmagic - lookup one file in parsed, in-memory copy of database
7677
* Passed the name and FILE * of one file to be typed.
@@ -1223,7 +1224,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
12231224
}
12241225
switch (in_type = cvt_flip(m->in_type, flip)) {
12251226
case FILE_BYTE:
1226-
if (nbytes < offset || nbytes < (offset + 1))
1227+
if (OFFSET_OOB(nbytes, offset, 1))
12271228
return 0;
12281229
if (off) {
12291230
switch (m->in_op & FILE_OPS_MASK) {
@@ -1258,7 +1259,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
12581259
offset = ~offset;
12591260
break;
12601261
case FILE_BESHORT:
1261-
if (nbytes < offset || nbytes < (offset + 2))
1262+
if (OFFSET_OOB(nbytes, offset, 2))
12621263
return 0;
12631264
if (off) {
12641265
switch (m->in_op & FILE_OPS_MASK) {
@@ -1310,7 +1311,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
13101311
offset = ~offset;
13111312
break;
13121313
case FILE_LESHORT:
1313-
if (nbytes < offset || nbytes < (offset + 2))
1314+
if (OFFSET_OOB(nbytes, offset, 2))
13141315
return 0;
13151316
if (off) {
13161317
switch (m->in_op & FILE_OPS_MASK) {
@@ -1362,7 +1363,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
13621363
offset = ~offset;
13631364
break;
13641365
case FILE_SHORT:
1365-
if (nbytes < offset || nbytes < (offset + 2))
1366+
if (OFFSET_OOB(nbytes, offset, 2))
13661367
return 0;
13671368
if (off) {
13681369
switch (m->in_op & FILE_OPS_MASK) {
@@ -1399,7 +1400,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
13991400
break;
14001401
case FILE_BELONG:
14011402
case FILE_BEID3:
1402-
if (nbytes < offset || nbytes < (offset + 4))
1403+
if (OFFSET_OOB(nbytes, offset, 4))
14031404
return 0;
14041405
if (off) {
14051406
switch (m->in_op & FILE_OPS_MASK) {
@@ -1470,7 +1471,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
14701471
break;
14711472
case FILE_LELONG:
14721473
case FILE_LEID3:
1473-
if (nbytes < offset || nbytes < (offset + 4))
1474+
if (OFFSET_OOB(nbytes, offset, 4))
14741475
return 0;
14751476
if (off) {
14761477
switch (m->in_op & FILE_OPS_MASK) {
@@ -1540,7 +1541,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
15401541
offset = ~offset;
15411542
break;
15421543
case FILE_MELONG:
1543-
if (nbytes < offset || nbytes < (offset + 4))
1544+
if (OFFSET_OOB(nbytes, offset, 4))
15441545
return 0;
15451546
if (off) {
15461547
switch (m->in_op & FILE_OPS_MASK) {
@@ -1610,7 +1611,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
16101611
offset = ~offset;
16111612
break;
16121613
case FILE_LONG:
1613-
if (nbytes < offset || nbytes < (offset + 4))
1614+
if (OFFSET_OOB(nbytes, offset, 4))
16141615
return 0;
16151616
if (off) {
16161617
switch (m->in_op & FILE_OPS_MASK) {
@@ -1687,14 +1688,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
16871688
/* Verify we have enough data to match magic type */
16881689
switch (m->type) {
16891690
case FILE_BYTE:
1690-
if (nbytes < (offset + 1)) /* should alway be true */
1691+
if (OFFSET_OOB(nbytes, offset, 1))
16911692
return 0;
16921693
break;
16931694

16941695
case FILE_SHORT:
16951696
case FILE_BESHORT:
16961697
case FILE_LESHORT:
1697-
if (nbytes < (offset + 2))
1698+
if (OFFSET_OOB(nbytes, offset, 2))
16981699
return 0;
16991700
break;
17001701

@@ -1713,31 +1714,31 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
17131714
case FILE_FLOAT:
17141715
case FILE_BEFLOAT:
17151716
case FILE_LEFLOAT:
1716-
if (nbytes < (offset + 4))
1717+
if (OFFSET_OOB(nbytes, offset, 4))
17171718
return 0;
17181719
break;
17191720

17201721
case FILE_DOUBLE:
17211722
case FILE_BEDOUBLE:
17221723
case FILE_LEDOUBLE:
1723-
if (nbytes < (offset + 8))
1724+
if (OFFSET_OOB(nbytes, offset, 8))
17241725
return 0;
17251726
break;
17261727

17271728
case FILE_STRING:
17281729
case FILE_PSTRING:
17291730
case FILE_SEARCH:
1730-
if (nbytes < (offset + m->vallen))
1731+
if (OFFSET_OOB(nbytes, offset, m->vallen))
17311732
return 0;
17321733
break;
17331734

17341735
case FILE_REGEX:
1735-
if (nbytes < offset)
1736+
if (OFFSET_OOB(nbytes, offset, 0))
17361737
return 0;
17371738
break;
17381739

17391740
case FILE_INDIRECT:
1740-
if (nbytes < offset)
1741+
if (OFFSET_OOB(nbytes, offset, 0))
17411742
return 0;
17421743
sbuf = ms->o.buf;
17431744
soffset = ms->offset;
@@ -1761,7 +1762,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
17611762
return rv;
17621763

17631764
case FILE_USE:
1764-
if (nbytes < offset)
1765+
if (OFFSET_OOB(nbytes, offset, 0))
17651766
return 0;
17661767
sbuf = m->value.s;
17671768
if (*sbuf == '^') {

0 commit comments

Comments
 (0)