Attachment #214685 for bug #246580

Lines 2-10 Link Here

(-)Makefile (-2 / +4 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= file	4	PORTNAME= file
5	PORTVERSION= 5.37	5	PORTVERSION= 5.38
6	CATEGORIES= sysutils	6	CATEGORIES= sysutils
7	MASTER_SITES= ftp://ftp.astron.com/pub/file/ \	7	MASTER_SITES= https://astron.com/pub/file/ \
		8	https://www.nic.funet.fi/pub/mirrors/ftp.astron.com/pub/file/ \
		9	https://ftp.icm.edu.pl/packages/file/ \
8	ftp://ftp.fu-berlin.de/unix/tools/file/	10	ftp://ftp.fu-berlin.de/unix/tools/file/
9		11
10	MAINTAINER= jharris@widomaker.com	12	MAINTAINER= jharris@widomaker.com

Lines 1-3 Link Here

(-)distinfo (-3 / +3 lines)
1	TIMESTAMP = 1571780726	1	TIMESTAMP = 1589916680
2	SHA256 (file-5.37.tar.gz) = e9c13967f7dd339a3c241b7710ba093560b9a33013491318e88e6b8b57bae07f	2	SHA256 (file-5.38.tar.gz) = 593c2ffc2ab349c5aea0f55fedfe4d681737b6b62376a9b3ad1e77b2cc19fa34
3	SIZE (file-5.37.tar.gz) = 887682	3	SIZE (file-5.38.tar.gz) = 932528




--- src/cdf.c.orig	2019-10-22 21:52:28 UTC
+++ src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:
 #define EFTYPE EINVAL
 #endif
 
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX CAST(size_t, ~0ULL)
+#endif
+
 #include "cdf.h"
 
 #ifdef CDF_DEBUG
@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, siz
     const cdf_header_t *h, cdf_secid_t id)
 {
 	size_t ss = CDF_SEC_SIZE(h);
-	size_t pos = CDF_SEC_POS(h, id);
+	size_t pos;
+
+	if (SIZE_T_MAX / ss < CAST(size_t, id))
+		return -1;
+
+	pos = CDF_SEC_POS(h, id);
 	assert(ss == len);
 	return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
 }
@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *b
     size_t len, const cdf_header_t *h, cdf_secid_t id)
 {
 	size_t ss = CDF_SHORT_SEC_SIZE(h);
-	size_t pos = CDF_SHORT_SEC_POS(h, id);
+	size_t pos;
+
+	if (SIZE_T_MAX / ss < CAST(size_t, id))
+		return -1;
+
+	pos = CDF_SHORT_SEC_POS(h, id);
 	assert(ss == len);
 	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
@@ -1013,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const 
 				goto out;
 			}
 			nelements = CDF_GETUINT32(q, 1);
-			if (nelements == 0) {
-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == %"
+				    SIZE_T_FORMAT "u\n", nelements));
 				goto out;
 			}
 			slen = 2;
@@ -1056,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const 
 					goto out;
 				inp += nelem;
 			}
-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
-			    nelements));
 			for (j = 0; j < nelements && i < sh.sh_properties;
 			    j++, i++)
 			{

Lines 1-10 Link Here

(-)files/patch-src_cdf.h (-10 lines)
1	--- src/cdf.h.orig 2019-10-22 21:52:35 UTC
2	+++ src/cdf.h
3	@@ -48,6 +48,7 @@
4	typedef int32_t cdf_secid_t;
5
6	#define CDF_LOOP_LIMIT 10000
7	+#define CDF_ELEMENT_LIMIT 100000
8
9	#define CDF_SECID_NULL 0
10	#define CDF_SECID_FREE -1

Return to bug 246580

Lines 1-71 Link Here

(-)files/patch-src_cdf.c (-71 lines)
1	--- src/cdf.c.orig 2019-10-22 21:52:28 UTC
2	+++ src/cdf.c
3	@@ -35,7 +35,7 @@
4	#include "file.h"
5
6	#ifndef lint
7	-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
8	+FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
9	#endif
10
11	#include <assert.h>
12	@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:
13	#define EFTYPE EINVAL
14	#endif
15
16	+#ifndef SIZE_T_MAX
17	+#define SIZE_T_MAX CAST(size_t, ~0ULL)
18	+#endif
19	+
20	#include "cdf.h"
21
22	#ifdef CDF_DEBUG
23	@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t info, void buf, siz
24	const cdf_header_t *h, cdf_secid_t id)
25	{
26	size_t ss = CDF_SEC_SIZE(h);
27	- size_t pos = CDF_SEC_POS(h, id);
28	+ size_t pos;
29	+
30	+ if (SIZE_T_MAX / ss < CAST(size_t, id))
31	+ return -1;
32	+
33	+ pos = CDF_SEC_POS(h, id);
34	assert(ss == len);
35	return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
36	}
37	@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t sst, void b
38	size_t len, const cdf_header_t *h, cdf_secid_t id)
39	{
40	size_t ss = CDF_SHORT_SEC_SIZE(h);
41	- size_t pos = CDF_SHORT_SEC_POS(h, id);
42	+ size_t pos;
43	+
44	+ if (SIZE_T_MAX / ss < CAST(size_t, id))
45	+ return -1;
46	+
47	+ pos = CDF_SHORT_SEC_POS(h, id);
48	assert(ss == len);
49	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
50	DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
51	@@ -1013,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const
52	goto out;
53	}
54	nelements = CDF_GETUINT32(q, 1);
55	- if (nelements == 0) {
56	- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
57	+ if (nelements > CDF_ELEMENT_LIMIT \|\| nelements == 0) {
58	+ DPRINTF(("CDF_VECTOR with nelements == %"
59	+ SIZE_T_FORMAT "u\n", nelements));
60	goto out;
61	}
62	slen = 2;
63	@@ -1056,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const
64	goto out;
65	inp += nelem;
66	}
67	- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
68	- nelements));
69	for (j = 0; j < nelements && i < sh.sh_properties;
70	j++, i++)
71	{