bugs.gw.com
Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000313filegeneralpublic2013-12-20 17:262014-01-08 22:23
ReporterAaron Reffett 
Assigned ToChristos Zoulas 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version5.14 
Target VersionFixed in Version5.18 
Summary0000313: [PATCH] file crashes when checking softmagic for some corrupt PE executables
DescriptionSome corrupt PE executables contain invalid offset information in their internal directories that libmagic attempts to follow and run string searches on. mcopy() does not do bounds checking on the indirect offset read from the file and sets up ms->search with invalid pointers and lengths.

The offending line in my case is the msdos magic file is 121:
>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive

The offset read indirectly was invalid and its bounds were not checked in mcopy.
Steps To ReproduceRun file on a PE executable that with invalid directory information which follows a path that includes string searches offset to an invalid location.
Additional InformationPatch included to bounds check this case.
TagsNo tags attached.
Attached Filespatch file icon file-5.14-offset-bounds-check.patch [^] (1,631 bytes) 2013-12-20 19:54 [Show Content]

- Relationships

-  Notes
(0000547)
Aaron Reffett (reporter)
2013-12-20 18:49
edited on: 2013-12-20 18:49

Taking a further look at the code, mget should detect whether or not the offset is legal, but it won't if offset is near ULONG_MAX and offset + anything causes it to overflow. A better place to fix this case is probably there: detect offset overflow and return 0.

(0000560)
Christos Zoulas (manager)
2014-01-08 22:23

Good catch; depending on overflow behavior though is non-portable. Modern versions of gcc, just remove the code.

- Issue History
Date Modified Username Field Change
2013-12-20 17:26 Aaron Reffett New Issue
2013-12-20 17:26 Aaron Reffett File Added: file-5.14-mcopy-string-bounds-check.diff
2013-12-20 18:49 Aaron Reffett Note Added: 0000547
2013-12-20 18:49 Aaron Reffett Note Edited: 0000547 View Revisions
2013-12-20 19:54 Aaron Reffett File Deleted: file-5.14-mcopy-string-bounds-check.diff
2013-12-20 19:54 Aaron Reffett File Added: file-5.14-offset-bounds-check.patch
2014-01-08 22:23 Christos Zoulas Assigned To => Christos Zoulas
2014-01-08 22:23 Christos Zoulas Status new => assigned
2014-01-08 22:23 Christos Zoulas Note Added: 0000560
2014-01-08 22:23 Christos Zoulas Status assigned => resolved
2014-01-08 22:23 Christos Zoulas Fixed in Version => 5.18
2014-01-08 22:23 Christos Zoulas Resolution open => fixed


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker