89be4c7b0e
Fixes CVE-2018-10360: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
31 lines
947 B
Diff
31 lines
947 B
Diff
From a642587a9c9e2dd7feacdf513c3643ce26ad3c22 Mon Sep 17 00:00:00 2001
|
|
From: Christos Zoulas <christos@zoulas.com>
|
|
Date: Sat, 9 Jun 2018 16:00:06 +0000
|
|
Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis)
|
|
|
|
[baruch: drop file version string update hunk]
|
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
|
---
|
|
Upstream status: commit a642587a9c9 in github mirror
|
|
|
|
src/readelf.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/readelf.c b/src/readelf.c
|
|
index 79c83f9f5048..1f41b46113c3 100644
|
|
--- a/src/readelf.c
|
|
+++ b/src/readelf.c
|
|
@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
|
|
|
|
cname = (unsigned char *)
|
|
&nbuf[doff + prpsoffsets(i)];
|
|
- for (cp = cname; *cp && isprint(*cp); cp++)
|
|
+ for (cp = cname; cp < nbuf + size && *cp
|
|
+ && isprint(*cp); cp++)
|
|
continue;
|
|
/*
|
|
* Linux apparently appends a space at the end
|
|
--
|
|
2.17.1
|
|
|