diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2007-06-19 14:21:01 +0300 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2007-06-19 14:21:01 +0300 |
| commit | 759ad2f36c91589665b4a67f1d00cfc58e6e5087 (patch) | |
| tree | f0bf0af1fefdc8af3995ba25c3cdca6615f85bac /file | |
| parent | 59920364efcc433d2d72d82cdc2b55758eba71b1 (diff) | |
| download | librpm-tizen-759ad2f36c91589665b4a67f1d00cfc58e6e5087.tar.gz librpm-tizen-759ad2f36c91589665b4a67f1d00cfc58e6e5087.tar.bz2 librpm-tizen-759ad2f36c91589665b4a67f1d00cfc58e6e5087.zip | |
Fix CVE-2007-2799 integer overflow in internal libmagic. Patch from RHEL4.
Diffstat (limited to 'file')
| -rw-r--r-- | file/src/funcs.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/file/src/funcs.c b/file/src/funcs.c index ebece87fe..fb20bdca0 100644 --- a/file/src/funcs.c +++ b/file/src/funcs.c @@ -26,12 +26,22 @@ */ #include "file.h" #include "magic.h" -#include <assert.h> #include <stdarg.h> #include <stdlib.h> #include <string.h> #include <ctype.h> +#if defined(HAVE_LIMITS_H) +#include <limits.h> +#endif +#ifndef SIZE_T_MAX +#ifdef __LP64__ +#define SIZE_T_MAX (size_t)0xfffffffffffffffffU +#else +#define SIZE_T_MAX (size_t)0xffffffffU +#endif +#endif + #ifndef lint FILE_RCSID("@(#)$Id: funcs.c,v 1.14 2005/01/07 19:17:27 christos Exp $") #endif /* lint */ @@ -165,9 +175,12 @@ file_getbuffer(struct magic_set *ms) return ms->o.buf; len = ms->o.size - ms->o.left; - /* * 4 is for octal representation, + 1 is for NUL */ - psize = len * 4 + 1; - assert(psize > len); + /* * 4 is for octal representation, + 1 is for NUL */ + if (len > (SIZE_T_MAX - 1) / 4) { + file_oomem(ms); + return NULL; + } + psize = len * 4 + 1; if (ms->o.psize < psize) { if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) { file_oomem(ms); |