Fixes from Jakub Bogusz <qboosh@pld-linux.org>, stack overwrite, elf …

…overread.

src/readelf.c

@@ -37,7 +37,7 @@
 #include "readelf.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$Id: readelf.c,v 1.44 2004/11/21 05:20:31 christos Exp $")
+FILE_RCSID("@(#)$Id: readelf.c,v 1.45 2004/11/24 17:38:24 christos Exp $")
 #endif
 
 #ifdef	ELFCORE
@@ -254,7 +254,8 @@ dophn_core(struct magic_set *ms, int class, int swap, int fd, off_t off,
 			file_badseek(ms);
 			return -1;
 		}
-		bufsize = read(fd, nbuf, sizeof(nbuf));
+		bufsize = read(fd, nbuf,
+		    ((ph_filesz < sizeof(nbuf)) ? ph_filesz : sizeof(nbuf)));
 		if (bufsize == -1) {
 			file_badread(ms);
 			return -1;
@@ -325,7 +326,7 @@ donote(struct magic_set *ms, unsigned char *nbuf, size_t offset, size_t size,
 	}
 
 	offset = ELF_ALIGN(doff + descsz);
-	if (offset + descsz > size) {
+	if (doff + descsz > size) {
 		return offset;
 	}
 
@@ -710,7 +711,8 @@ dophn_exec(struct magic_set *ms, int class, int swap, int fd, off_t off,
 				file_badseek(ms);
 				return -1;
 			}
-			bufsize = read(fd, nbuf, sizeof(nbuf));
+			bufsize = read(fd, nbuf, ((ph_filesz < sizeof(nbuf)) ?
+			    ph_filesz : sizeof(nbuf)));
 			if (bufsize == -1) {
 				file_badread(ms);
 				return -1;

src/softmagic.c

@@ -39,7 +39,7 @@
 
 
 #ifndef	lint
-FILE_RCSID("@(#)$Id: softmagic.c,v 1.71 2004/11/21 06:09:43 christos Exp $")
+FILE_RCSID("@(#)$Id: softmagic.c,v 1.72 2004/11/24 17:38:25 christos Exp $")
 #endif	/* lint */
 
 private int match(struct magic_set *, struct magic *, uint32_t,
@@ -663,7 +663,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 	 * might even cause problems
 	 */
 	if (nbytes < sizeof(*p))
-		(void)memset(p + nbytes, '\0', sizeof(*p) - nbytes);
+		(void)memset(((char *)p) + nbytes, '\0', sizeof(*p) - nbytes);
 	return 0;
 }