CVE-2019-8905-and-CVE-2019-8907.patch 3.56 KB
Newer Older
Leo's avatar
Leo committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102
diff --git a/src/file.h b/src/file.h
index eb9c054..6d9d204 100644
--- a/src/file.h
+++ b/src/file.h
@@ -491,7 +491,7 @@ protected int file_looks_utf8(const unsigned char *, size_t, unichar *,
     size_t *);
 protected size_t file_pstring_length_size(const struct magic *);
 protected size_t file_pstring_get_length(const struct magic *, const char *);
-protected char * file_printable(char *, size_t, const char *);
+protected char * file_printable(char *, size_t, const char *, size_t);
 #ifdef __EMX__
 protected int file_os2_apptype(struct magic_set *, const char *, const void *,
     size_t);
diff --git a/src/funcs.c b/src/funcs.c
index d7a18f4..eb44261 100644
--- a/src/funcs.c
+++ b/src/funcs.c
@@ -581,12 +581,13 @@ file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
  * convert string to ascii printable format.
  */
 protected char *
-file_printable(char *buf, size_t bufsiz, const char *str)
+file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
 {
-	char *ptr, *eptr;
+	char *ptr, *eptr = buf + bufsiz - 1;
 	const unsigned char *s = (const unsigned char *)str;
+	const unsigned char *es = s + slen;
 
-	for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
+	for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
 		if (isprint(*s)) {
 			*ptr++ = *s;
 			continue;
diff --git a/src/readelf.c b/src/readelf.c
index 5f425c9..ee466fc 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
 			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
 			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
 			    file_printable(sbuf, sizeof(sbuf),
-			    CAST(char *, pi.cpi_name)),
+				CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
 			    elf_getu32(swap, pi.cpi_pid),
 			    elf_getu32(swap, pi.cpi_euid),
 			    elf_getu32(swap, pi.cpi_egid),
@@ -1563,7 +1563,8 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
 		return -1;
 	if (interp[0])
 		if (file_printf(ms, ", interpreter %s",
-		    file_printable(ibuf, sizeof(ibuf), interp)) == -1)
+			file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp))) 
+				== -1)
 			return -1;
 	return 0;
 }
diff --git a/src/softmagic.c b/src/softmagic.c
index b9e9753..fa82d58 100644
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -544,8 +544,8 @@ mprint(struct magic_set *ms, struct magic *m)
   	case FILE_LESTRING16:
 		if (m->reln == '=' || m->reln == '!') {
 			if (file_printf(ms, F(ms, m, "%s"), 
-			    file_printable(sbuf, sizeof(sbuf), m->value.s))
-			    == -1)
+				file_printable(sbuf, sizeof(sbuf), m->value.s,
+			    sizeof(m->value.s))) == -1)
 				return -1;
 			t = ms->offset + m->vallen;
 		}
@@ -572,7 +572,8 @@ mprint(struct magic_set *ms, struct magic *m)
 			}
 
 			if (file_printf(ms, F(ms, m, "%s"),
-			    file_printable(sbuf, sizeof(sbuf), str)) == -1)
+				file_printable(sbuf, sizeof(sbuf), str,
+				sizeof(p->s) - (str - p->s))) == -1)
 				return -1;
 
 			if (m->type == FILE_PSTRING)
@@ -678,7 +679,7 @@ mprint(struct magic_set *ms, struct magic *m)
 			return -1;
 		}
 		rval = file_printf(ms, F(ms, m, "%s"),
-		    file_printable(sbuf, sizeof(sbuf), cp));
+		    file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
 		free(cp);
 
 		if (rval == -1)
@@ -705,7 +706,8 @@ mprint(struct magic_set *ms, struct magic *m)
 		break;
 	case FILE_DER:
 		if (file_printf(ms, F(ms, m, "%s"), 
-		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
+			file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
+			sizeof(ms->ms_value.s))) == -1)
 			return -1;
 		t = ms->offset;
 		break;