Skip to content

Commit 59e6383

Browse files
committed
PR/398: Correctly truncate pascal strings (fixes out of bounds read of 1, 2,
or 4 bytes).
1 parent 35fea2f commit 59e6383

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

Diff for: src/softmagic.c

+6-3
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
#include "file.h"
3333

3434
#ifndef lint
35-
FILE_RCSID("@(#)$File: softmagic.c,v 1.195 2014/09/24 19:49:07 christos Exp $")
35+
FILE_RCSID("@(#)$File: softmagic.c,v 1.196 2014/11/07 15:24:14 christos Exp $")
3636
#endif /* lint */
3737

3838
#include "magic.h"
@@ -964,14 +964,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
964964
size_t sz = file_pstring_length_size(m);
965965
char *ptr1 = p->s, *ptr2 = ptr1 + sz;
966966
size_t len = file_pstring_get_length(m, ptr1);
967-
if (len >= sizeof(p->s)) {
967+
sz = sizeof(p->s) - sz; /* maximum length of string */
968+
if (len >= sz) {
968969
/*
969970
* The size of the pascal string length (sz)
970971
* is 1, 2, or 4. We need at least 1 byte for NUL
971972
* termination, but we've already truncated the
972973
* string by p->s, so we need to deduct sz.
974+
* Because we can use one of the bytes of the length
975+
* after we shifted as NUL termination.
973976
*/
974-
len = sizeof(p->s) - sz;
977+
len = sz;
975978
}
976979
while (len--)
977980
*ptr1++ = *ptr2++;

0 commit comments

Comments
 (0)