diff --git a/share/security/advisories/FreeBSD-EN-14:07.pmap.asc b/share/security/advisories/FreeBSD-EN-14:07.pmap.asc new file mode 100644 index 0000000000..912f1df1b4 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:07.pmap.asc @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:07.pmap Errata Notice + The FreeBSD Project + +Topic: Bug with PCID implementation + +Category: core +Module: kernel +Announced: 2014-06-24 +Credits: Henrik Gulbrandsen +Affects: FreeBSD 10.0-RELEASE +Corrected: 2014-03-04 21:51:09 UTC (stable/10, 10.0-STABLE) + 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +Process-context identifiers (PCIDs) are a facility in modern x86 +processors, which tags TLB entries with the Id of the address space +and allows to avoid TLB invalidation on the context switch. + +II. Problem Description + +Due to bug in the handling of the mask of the CPU set where the given +address space could have cached TLB entries, stale mappings could be +seen by multithreaded programs. + +III. Impact + +Applications, most notably Java, which makes heavy use of threads may +randomly crash due to the inconcistency. + +IV. Workaround + +Systems that do not run have a CPU that supports the Process-Context +Identifiers feature are not affected. + +The system administrator can add the following to /boot/loader.conf +which disables Process-Context Identifiers to workaround this problem: + + vm.pmap.pcid_enabled="0" + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.0] +# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch +# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch.asc +# gpg --verify pmap.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r262753 +releng/10.0/ r267829 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:07.pmap.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnAbYP/iZKU3SSwHwWPzYa03ZwgW4u +54MigJuV/wyOfJj2ZZuOXTaYZP1miRgFr7mn9OWkA6slWHLAVkmN9fWrUU8tRPjJ +UDVhnbToVYIcmW2tEH5lZ5y1Stt178NZTeMo26jgkWhj74RZ10OIFdSuNlNUQGSr +djanCdgpnGL+odml+rQcGAAKKH97PchQ6r9IivNgE6mnGhGvzOjQOSdxioBLew14 +w5Ua3k4nn/4hYi4RMPJ/vAlPdJHVsnZb8kRWhf4Ncj19IkvJ8EO6PmnHCbdGmV1I +cvqVFxXPGGA/A+O9E+1S+54SWotivpgjSujuQFFmvuzBbPhlt/Hmtn6YwljNG4+e +V6MsMRPMHVoIhOCBv9xfCHgyajA7jgbRGqQkMWxwKPVLjmk2NWOsbGBjHMFHnqYn +87Sh7crbFffNGwqGJgn+vXSXeNZ/95EWSBE0/B4KfqPeX6XCJI/C/sMRl0ATKa7C +k227J0olXKKUInLEq7tS1nLS0IKlWLF5WiRFx7DOa4DKLBcLZkYKTu3ATJySQ4V3 +hDNDpubB3/94ug1slRNWDYGxzaZq0ctUTubxsHW7a0iYQi/PkssCT/8jVAdsx8hq +S1DjGZiFAKLOiJUSvPfONdwodORyEyMB+z37EfgeHKKqnjJXgSEtmnmI+7sT8hlR +FhXX1XQOBUtPxF+MY4bT +=vNzu +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc b/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc new file mode 100644 index 0000000000..ff964cb277 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:08.heimdal Errata Notice + The FreeBSD Project + +Topic: gss_pseudo_random interoperability issue + +Category: contrib +Module: heimdal +Announced: 2014-06-24 +Credits: Marc Dionne, Nico Williams, and Benjamin Kaduk +Affects: All supported versions of FreeBSD prior to 9.2-RELEASE. +Corrected: 2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE) + 2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9) + 2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16) + 2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE) + 2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +Heimdal provides an implementation of Kerberos 5, the Generic Security +Service API (GSS-API), and the krb5 GSS-API mechanism. The GSS-API is +an abstract API that provides a unified interface for security services +that wraps many underlying security mechanisms. Application protocols +using the GSS-API exchange context tokens to establish a security context. +Once the security context has successfully been established, it can be +used to checksum and/or encrypt messages between the two parties of +the context, securely generate an identical pseudorandom bitstring at +both endpoints, and other security-related functionality. + +Kerberos 5 permits the use of different encryption types for encryption +keys; part of the specification for each encryption type is a pseudo-random +function that uses an encryption key and some optional seed data to +produce a pseudo-random bitstring of a fixed length. The GSS_Pseudo_random +function uses an established security context and some optional seed +data to produce a pseudo-random bitstring of (nearly) arbitrary lengh. +The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402) +uses a counter mode to produce the arbitrary length output from the +fixed-length output of the underlying enctype's pseudo-random output. + +II. Problem Description + +RFC 4402 specifies that the counter which is prepended to the seed data +must be encoded in network (big-endian) byte order before being input to the +encryption type's pseudo-random function. All released versions of Heimdal +that include a GSS_Pseudo_random implementation for the krb5 mechanism +encode the counter as a little-endian integer. + +III. Impact + +Only applications using the GSS_Pseudo_random functionality with the krb5 +mechanism are affected; the number of such applications is believed to +be small. (RFC 4402 was published in 2006.) Since the first value +used for the counter is zero, the first block of output is correct, but +the second and all subsequent blocks of output are incorrect. +Old versions of Heimdal will interoperate over the network with each +other, but will not interoperate with MIT krb5 peers or other implementations +of RFC 4402, if producing more than one block of pseudo-random output. +For the commonly used AES encryption types, the first 128 bits of output +are correct but the subsequent output differs. + +IV. Workaround + +Applications which do not use the GSS_Pseudo_random functionality +are not affected. + +Applications which can reduce their pseudo-random needs to a single +block length (e.g., 128 bits for AES) will interoperate with all +known implementations. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch +# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc +# gpg --verify heimdal.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r259452 +releng/8.4/ r267832 +stable/9/ r259451 +releng/9.1/ r267831 +releng/9.2/ r267831 +stable/10/ r259447 +releng/10.0/ r259758 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The discussion of this interoperability issue in the IETF kitten working +group archives may be found here: +http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO +6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP +0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ +efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+ +AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0 +ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv +CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7 ++X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J +oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl +nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr +LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz +HPlEHgAxXm0shG0bbEA5 +=tTXE +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:15.iconv.asc b/share/security/advisories/FreeBSD-SA-14:15.iconv.asc new file mode 100644 index 0000000000..a56d89bfd8 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:15.iconv.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:15.iconv Security Advisory + The FreeBSD Project + +Topic: iconv(3) NULL pointer dereference and out-of-bounds array access + +Category: core +Module: libc/iconv +Announced: 2014-06-24 +Credits: Manuel Mausz, Tijl Coosemans +Affects: FreeBSD 10.0 +Corrected: 2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE) + 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) +CVE Name: CVE-2014-3951 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The iconv(3) API allows converting text data from one character set +encoding to another. Applications first open a converter between two +encodings using iconv_open(3) and then convert text using iconv(3). +HZ is an encoding of the GB2312 character set used for simplified +Chinese characters. VIQR is an encoding for Vietnamese characters. + +II. Problem Description + +A NULL pointer dereference in the initialization code of the HZ module and +an out of bounds array access in the initialization code of the VIQR module +make iconv_open(3) calls involving HZ or VIQR result in an application crash. + +III. Impact + +Services where an attacker can control the arguments of an iconv_open(3) +call can be caused to crash resulting in a denial-of-service. For example, +an email encoded in HZ may cause an email delivery service to crash if it +converts emails to a more generic encoding like UTF-8 before applying +filtering rules. + +IV. Workaround + +No workaround is available, but systems that do not process untrusted +Chinese or Vietnamese input are not affected by this vulnerability. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch +# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc +# gpg --verify iconv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r262731 +releng/10.0/ r267829 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB +8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0 +abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6 +Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV +pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L +ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP +Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf +GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc +l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d +D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n +RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig +jh8e1kgmRt2rt5ZLthe5 +=Wr8S +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-14:16.file.asc b/share/security/advisories/FreeBSD-SA-14:16.file.asc new file mode 100644 index 0000000000..8282cf4329 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-14:16.file.asc @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:16.file Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in file(1) and libmagic(3) + +Category: contrib +Module: file +Announced: 2014-06-24 +Affects: All supported versions of FreeBSD. +Corrected: 2014-06-24 19:04:55 UTC (stable/10, 10.0-STABLE) + 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) + 2014-06-24 19:04:55 UTC (stable/9, 9.3-PRERELEASE) + 2014-06-24 19:05:19 UTC (releng/9.3, 9.3-RC2) + 2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9) + 2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16) + 2014-06-24 19:04:55 UTC (stable/8, 8.4-STABLE) + 2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13) +CVE Name: CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The file(1) utility attempts to classify file system objects based on +filesystem, magic number and language tests. + +The libmagic(3) library provides most of the functionality of file(1) +and may be used by other applications. + +II. Problem Description + +A specifically crafted Composite Document File (CDF) file can trigger an +out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571] + +A flaw in regular expression in the awk script detector makes use of +multiple wildcards with unlimited repetitions. [CVE-2013-7345] + +A malicious input file could trigger infinite recursion in libmagic(3). +[CVE-2014-1943] + +A specifically crafted Portable Executable (PE) can trigger out-of-bounds +read. [CVE-2014-2270] + +III. Impact + +An attacker who can cause file(1) or any other applications using the +libmagic(3) library to be run on a maliciously constructed input can +the application to crash or consume excessive CPU resources, resulting +in a denial-of-service. + +IV. Workaround + +No workaround is available, but systems where file(1) and other +libmagic(3)-using applications are never run on untrusted input are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.1, 9.2, 9.3, 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch +# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch.asc +# gpg --verify file.patch.asc + +[FreeBSD 8.4] +# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch +# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch.asc +# gpg --verify file.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r267828 +releng/8.4/ r267832 +stable/9/ r267828 +releng/9.1/ r267831 +releng/9.2/ r267831 +releng/9.3/ r267830 +stable/10/ r267828 +releng/10.0/ r267829 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:16.file.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnaLsP/jwrr5b1qZ9tObnN3FXwzEjD +jNHa3AJKHXgrYGzF8yNrZElhE48f02sr9dEXqIw/E5eElcVhi38RBEkwblE8Nj2H +M5bzEwVS7kWPcAl1vBno1rFTHutUTOSSopBGgwlNAlWSFnr1iFIIU9dQ6kcGCnBj +LvMx5kTSyZ707kArRrFjrDeYlPLSE/vSBOC00TqReS+3Q9By1IH5kUWesDWr+3Gk +lvW/JzSTcyOicrGR6vRHiLn9+NKojd6pV3hqV/uxuth1OxRtiGPeodL6CyvkipMo +rKjTgXEY2KluBGV9ff+rbeARLfUh2PDJ9Z5BfF7O8ZyMZpKkcw6MFRRfJ0xgtUZK +vpF0u8NVMIZhHLSJ9q1Roij2POxeOETNXG2bGKtVu8pqhJ14DvMfPgamsQLhzKRX +vBN1Gw+3RctJrQpF9HvYFOsKlfzcWyka82lw5GSsDYGH2TamU00CTQmx/5PW+WVo +xV3C17Wj8AkmRYWeC4IzkTiZ8avVOZ+TMyJKRhL6EGBT3ramu8BFdV8oZOcHHpR/ +rAI6eZcFtNuwKuvfqHZmh84GicHDkMHXy6OiyCYUW9uNdWl7nUPMMxp/zEA6gtay +ozVedGIIrhYkfQAJRcRAcnEBYqcBVkCD/rKXJtdALl3RDQrediRaz0nWE2bJ/qs3 +bHjS6vu9VS/3z0+pEYri +=5Ihe +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:07/pmap.patch b/share/security/patches/EN-14:07/pmap.patch new file mode 100644 index 0000000000..078d6e0271 --- /dev/null +++ b/share/security/patches/EN-14:07/pmap.patch @@ -0,0 +1,13 @@ +Index: sys/amd64/amd64/pmap.c +=================================================================== +--- sys/amd64/amd64/pmap.c (revision 267572) ++++ sys/amd64/amd64/pmap.c (working copy) +@@ -367,7 +367,7 @@ static int pmap_flags = PMAP_PDE_SUPERPAGE; /* fla + + static struct unrhdr pcid_unr; + static struct mtx pcid_mtx; +-int pmap_pcid_enabled = 1; ++int pmap_pcid_enabled = 0; + SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN, &pmap_pcid_enabled, + 0, "Is TLB Context ID enabled ?"); + int invpcid_works = 0; diff --git a/share/security/patches/EN-14:07/pmap.patch.asc b/share/security/patches/EN-14:07/pmap.patch.asc new file mode 100644 index 0000000000..c076f45089 --- /dev/null +++ b/share/security/patches/EN-14:07/pmap.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rnhbEP/2pckDzyxx2dvtY4VXOHwykV +K8Wb0m8o2x6IpHx/lqvToBX77VneknAmfc6yNxldMTmBq5sLA4kuLp9EkH7iuFtV +k1XcDWWGaoyLEK6Ur2f/CQOE9t0Qig5i6hVNbWCYzmjNZZGGE4Xd60rSSyQ1QN28 +JNoopI5p/wGWkDlDbw5f+foXBfbuOx1t1XWgEPRbxAXnvc6f3QBi7HQEu7GWWu04 +o5bn7+42zv3ij6aJ/zMb818Ml5cp1zeGT9VkSN17yqEdzmF+5C32caUp4qiiA5+n +gTR56RISYT+85xK+4AXdv3kZE5ZSQlsA8wLquKDiRVNFvqH7ly6v21JbWEfJBwyz +4iCA5I9A/Bp8z5ScouupkPimMEKCmSFwpE/Ww914x5bOaYl4xsXUQzBKs2nIWaao +u7sR7HxW0bq9pK1iVR2kU2md+65vq98HHO1xi1wQ8Aqw9Gt3CKklubiOf36qilUE +FCxBtumgOkHP8HWSE4oKFqLqx3GPV2j2BMSZiUE/x7gfd86FF6/fyx01NIekMpny +Osp5rXA5jnKgHJC8M6sF/+Xag1kBaIur5wNtaPSsQASmiXs4yXY29zH3sX4AxA2n +0fS1fItiM/US30TPGbcT0YEU8FR/CHDchUD2FjbjxntU4VSBUrnsK+ydRWiL+M0e +q4qZ9kLz2/HzBYG54HiI +=XjDR +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-14:08/heimdal.patch b/share/security/patches/EN-14:08/heimdal.patch new file mode 100644 index 0000000000..15e0c90afe --- /dev/null +++ b/share/security/patches/EN-14:08/heimdal.patch @@ -0,0 +1,13 @@ +Index: crypto/heimdal/lib/gssapi/krb5/prf.c +=================================================================== +--- crypto/heimdal/lib/gssapi/krb5/prf.c (revision 267806) ++++ crypto/heimdal/lib/gssapi/krb5/prf.c (working copy) +@@ -117,7 +117,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, + num = 0; + p = prf_out->value; + while(desired_output_len > 0) { +- _gsskrb5_encode_om_uint32(num, input.data); ++ _gsskrb5_encode_be_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); + if (ret) { + OM_uint32 junk; diff --git a/share/security/patches/EN-14:08/heimdal.patch.asc b/share/security/patches/EN-14:08/heimdal.patch.asc new file mode 100644 index 0000000000..df4e6ff3d8 --- /dev/null +++ b/share/security/patches/EN-14:08/heimdal.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rneCAP/Ay62O3KiG8sQoCgH/3aTcV2 +k0OhOBxvRsTAaiOy5EVT+BMtZWymDBWiiFZueL6jpYEy3LthqAmguj9KMWC0k6ni +a6ETu8IzPWjqmYodqcPEM0dfDsovSzDxP2iAdKwcCrY379d/7hPvmhVR2IMt7oXj +7aeu1zDZtubw5SkpS9Vy6X8yynuz3caxqaUjmRuumonZ+isrQxeC8taXQP/nFIs1 +F71Il7LluEf9Abieh9R1m6mVftABGju9TSvmzHtjuBd0jzInBpegDlxeD3sw4mqa +TWHKABsd9DqEnghkTN3f0CQ+ba8/KEcN5hR+xpjWGw+8GjilkE5JswIM8W9iQK61 +BIim1dwS4WwLxIxgQtaHwSXrWq5yVrSFwq3sy5yUCa/dZVr4U+vlr4YHZtEw0V+H +MUh8/3087XlLskNVA7zYQMyjO0f0BUVB5V28VZQJnrywPzHCP/ZHCKboqTmGA5t6 +19MaloslnSpCp73T+ooQ+aiv5j8FGKJfhXOKHkrrj6wocNq1iqsc0coVWv3TtN1J +GAM00xKyxQLe2nVP+EPQJt1uDdNvcPfXCbNzzQbyW4wnRklBuXqIKKeZn/vYTIYE +x0oPHPPgAihot6gP2ZZRclT0kpqdJWFGw6fjsBJINBrMPAlClwPUQtelUkueaxtz +PGj8k8GVtsFOjgvqsRfb +=QKVG +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:15/iconv.patch b/share/security/patches/SA-14:15/iconv.patch new file mode 100644 index 0000000000..5ac0ac822f --- /dev/null +++ b/share/security/patches/SA-14:15/iconv.patch @@ -0,0 +1,175 @@ +Index: lib/libc/iconv/citrus_prop.c +=================================================================== +--- lib/libc/iconv/citrus_prop.c (revision 267591) ++++ lib/libc/iconv/citrus_prop.c (working copy) +@@ -339,7 +339,7 @@ name_found: + + static int + _citrus_prop_parse_element(struct _memstream * __restrict ms, +- const _citrus_prop_hint_t * __restrict hints, void ** __restrict context) ++ const _citrus_prop_hint_t * __restrict hints, void * __restrict context) + { + int ch, errnum; + #define _CITRUS_PROP_HINT_NAME_LEN_MAX 255 +@@ -435,8 +435,7 @@ _citrus_prop_parse_variable(const _citrus_prop_hin + if (ch == EOF || ch == '\0') + break; + _memstream_ungetc(&ms, ch); +- errnum = _citrus_prop_parse_element( +- &ms, hints, (void ** __restrict)context); ++ errnum = _citrus_prop_parse_element(&ms, hints, context); + if (errnum != 0) + return (errnum); + } +Index: lib/libc/iconv/citrus_prop.h +=================================================================== +--- lib/libc/iconv/citrus_prop.h (revision 267591) ++++ lib/libc/iconv/citrus_prop.h (working copy) +@@ -42,7 +42,7 @@ typedef struct _citrus_prop_hint_t _citrus_prop_hi + + #define _CITRUS_PROP_CB0_T(_func_, _type_) \ + typedef int (*_citrus_prop_##_func_##_cb_func_t) \ +- (void ** __restrict, const char *, _type_); \ ++ (void * __restrict, const char *, _type_); \ + typedef struct { \ + _citrus_prop_##_func_##_cb_func_t func; \ + } _citrus_prop_##_func_##_cb_t; +@@ -52,7 +52,7 @@ _CITRUS_PROP_CB0_T(str, const char *) + + #define _CITRUS_PROP_CB1_T(_func_, _type_) \ + typedef int (*_citrus_prop_##_func_##_cb_func_t) \ +- (void ** __restrict, const char *, _type_, _type_); \ ++ (void * __restrict, const char *, _type_, _type_); \ + typedef struct { \ + _citrus_prop_##_func_##_cb_func_t func; \ + } _citrus_prop_##_func_##_cb_t; +Index: lib/libiconv_modules/BIG5/citrus_big5.c +=================================================================== +--- lib/libiconv_modules/BIG5/citrus_big5.c (revision 267591) ++++ lib/libiconv_modules/BIG5/citrus_big5.c (working copy) +@@ -170,7 +170,7 @@ _citrus_BIG5_check_excludes(_BIG5EncodingInfo *ei, + } + + static int +-_citrus_BIG5_fill_rowcol(void ** __restrict ctx, const char * __restrict s, ++_citrus_BIG5_fill_rowcol(void * __restrict ctx, const char * __restrict s, + uint64_t start, uint64_t end) + { + _BIG5EncodingInfo *ei; +@@ -189,7 +189,7 @@ static int + + static int + /*ARGSUSED*/ +-_citrus_BIG5_fill_excludes(void ** __restrict ctx, ++_citrus_BIG5_fill_excludes(void * __restrict ctx, + const char * __restrict s __unused, uint64_t start, uint64_t end) + { + _BIG5EncodingInfo *ei; +@@ -235,7 +235,6 @@ static int + _citrus_BIG5_encoding_module_init(_BIG5EncodingInfo * __restrict ei, + const void * __restrict var, size_t lenvar) + { +- void *ctx = (void *)ei; + const char *s; + int err; + +@@ -257,9 +256,9 @@ _citrus_BIG5_encoding_module_init(_BIG5EncodingInf + } + + /* fallback Big5-1984, for backward compatibility. */ +- _citrus_BIG5_fill_rowcol((void **)&ctx, "row", 0xA1, 0xFE); +- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0x40, 0x7E); +- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0xA1, 0xFE); ++ _citrus_BIG5_fill_rowcol(ei, "row", 0xA1, 0xFE); ++ _citrus_BIG5_fill_rowcol(ei, "col", 0x40, 0x7E); ++ _citrus_BIG5_fill_rowcol(ei, "col", 0xA1, 0xFE); + + return (0); + } +Index: lib/libiconv_modules/HZ/citrus_hz.c +=================================================================== +--- lib/libiconv_modules/HZ/citrus_hz.c (revision 267591) ++++ lib/libiconv_modules/HZ/citrus_hz.c (working copy) +@@ -65,8 +65,8 @@ typedef enum { + } charset_t; + + typedef struct { ++ int start; + int end; +- int start; + int width; + } range_t; + +@@ -503,12 +503,12 @@ _citrus_HZ_encoding_module_uninit(_HZEncodingInfo + } + + static int +-_citrus_HZ_parse_char(void **context, const char *name __unused, const char *s) ++_citrus_HZ_parse_char(void *context, const char *name __unused, const char *s) + { + escape_t *escape; + void **p; + +- p = (void **)*context; ++ p = (void **)context; + escape = (escape_t *)p[0]; + if (escape->ch != '\0') + return (EINVAL); +@@ -520,7 +520,7 @@ static int + } + + static int +-_citrus_HZ_parse_graphic(void **context, const char *name, const char *s) ++_citrus_HZ_parse_graphic(void *context, const char *name, const char *s) + { + _HZEncodingInfo *ei; + escape_t *escape; +@@ -527,7 +527,7 @@ static int + graphic_t *graphic; + void **p; + +- p = (void **)*context; ++ p = (void **)context; + escape = (escape_t *)p[0]; + ei = (_HZEncodingInfo *)p[1]; + graphic = malloc(sizeof(*graphic)); +@@ -589,13 +589,13 @@ _CITRUS_PROP_HINT_END + }; + + static int +-_citrus_HZ_parse_escape(void **context, const char *name, const char *s) ++_citrus_HZ_parse_escape(void *context, const char *name, const char *s) + { + _HZEncodingInfo *ei; + escape_t *escape; + void *p[2]; + +- ei = (_HZEncodingInfo *)*context; ++ ei = (_HZEncodingInfo *)context; + escape = malloc(sizeof(*escape)); + if (escape == NULL) + return (EINVAL); +Index: lib/libiconv_modules/VIQR/citrus_viqr.c +=================================================================== +--- lib/libiconv_modules/VIQR/citrus_viqr.c (revision 267591) ++++ lib/libiconv_modules/VIQR/citrus_viqr.c (working copy) +@@ -431,7 +431,6 @@ static int + _citrus_VIQR_encoding_module_init(_VIQREncodingInfo * __restrict ei, + const void * __restrict var __unused, size_t lenvar __unused) + { +- const mnemonic_def_t *p; + const char *s; + size_t i, n; + int errnum; +@@ -455,7 +454,10 @@ _citrus_VIQR_encoding_module_init(_VIQREncodingInf + return (errnum); + } + } +- for (i = 0;; ++i) { ++ /* a + 1 < b + 1 here to silence gcc warning about unsigned < 0. */ ++ for (i = 0; i + 1 < mnemonic_ext_size + 1; ++i) { ++ const mnemonic_def_t *p; ++ + p = &mnemonic_ext[i]; + n = strlen(p->name); + if (ei->mb_cur_max < n) diff --git a/share/security/patches/SA-14:15/iconv.patch.asc b/share/security/patches/SA-14:15/iconv.patch.asc new file mode 100644 index 0000000000..6a6932e09b --- /dev/null +++ b/share/security/patches/SA-14:15/iconv.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnGpkP/0rm6huVPDIo3qTvfuXyKVvX +MGbc8+35EfDSUxAYLkQIJxiEF88+chJrEqyivP311+IMFUXdyplQvXQiZcTKXdPp +hYVa7wCeC7BbdXILiw+hi9J5TI4QiE+b4Kmn83DIS/iYols4tRpUVXN4OCFaO3BR +oW5RuCI/VBVqwUm+3pZhz1GuzPOmZo+8KxdHk3nmSmoad6SNvPB0W3QY53P2J96E +8euOJGM/38QWav2g7QsQeI+MAx2jcxUmRIQVfCblfXG1O0izNjuC8hjqJptSvBpc +uvJAhQxptludfAa7/ZnW4ws/dJz4ekNSlerjRpNiXE0Hr2r2TAM8cFwG9AbVThga +wZ8+rHFOC30kIJ6uvZbpTPHNSHxu4pVyOOoh4Tfr1xpDqb/3ktSXfXX6bgXPrhMI +PdBVVACYGbdurQU8Z65JbMmNx96Sl79w8mOHrMSeVS3pRL7FtJ4J+c8sOLyiaouM +kIf+vbqSPHRqpkCtmmKP6QM+qrfhrlzmYwyNTE2pKautaGNCyAMY3lrKhbEr7llK +L4YZ9/9Z6ivZZZDhAZbzcJrWQOuW0wmt7E2CyC1TOHOBjI6202J/++ZWSmmsexWF +mWNai/3IqCGd24unHHxdrTUSw+b99pL+HAgAdTQZ2dg3Qh/qC0PAcICBoWDgS0sM +Q34JUXT4cVpCqHeFhPkp +=gJzF +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:16/file-8.4.patch b/share/security/patches/SA-14:16/file-8.4.patch new file mode 100644 index 0000000000..179c84851c --- /dev/null +++ b/share/security/patches/SA-14:16/file-8.4.patch @@ -0,0 +1,1891 @@ +Index: contrib/file/ascmagic.c +=================================================================== +--- contrib/file/ascmagic.c (revision 267806) ++++ contrib/file/ascmagic.c (working copy) +@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, + if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL) + goto done; + if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf), +- TEXTTEST)) != 0) ++ 0, TEXTTEST)) != 0) + goto done; + else + rv = -1; +Index: contrib/file/cdf.c +=================================================================== +--- contrib/file/cdf.c (revision 267806) ++++ contrib/file/cdf.c (working copy) +@@ -24,15 +24,18 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + /* +- * Parse composite document files, the format used in Microsoft Office +- * document files before they switched to zipped xml. ++ * Parse Composite Document Files, the format used in Microsoft Office ++ * document files before they switched to zipped XML. + * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * ++ * N.B. This is the "Composite Document File" format, and not the ++ * "Compound Document Format", nor the "Channel Definition Format". + */ + + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:47 christos Exp $") ++FILE_RCSID("@(#)$File: cdf.c,v 1.49 2012/02/20 20:04:37 christos Exp $") + #endif + + #include <assert.h> +@@ -44,6 +47,9 @@ + #include <string.h> + #include <time.h> + #include <ctype.h> ++#ifdef HAVE_LIMITS_H ++#include <limits.h> ++#endif + + #ifndef EFTYPE + #define EFTYPE EINVAL +@@ -51,10 +57,6 @@ + + #include "cdf.h" + +-#ifndef __arraycount +-#define __arraycount(a) (sizeof(a) / sizeof(a[0])) +-#endif +- + #ifdef CDF_DEBUG + #define DPRINTF(a) printf a, fflush(stdout) + #else +@@ -68,19 +70,21 @@ static union { + + #define NEED_SWAP (cdf_bo.u == (uint32_t)0x01020304) + +-#define CDF_TOLE8(x) (NEED_SWAP ? cdf_tole8(x) : (uint64_t)(x)) +-#define CDF_TOLE4(x) (NEED_SWAP ? cdf_tole4(x) : (uint32_t)(x)) +-#define CDF_TOLE2(x) (NEED_SWAP ? cdf_tole2(x) : (uint16_t)(x)) ++#define CDF_TOLE8(x) ((uint64_t)(NEED_SWAP ? _cdf_tole8(x) : (uint64_t)(x))) ++#define CDF_TOLE4(x) ((uint32_t)(NEED_SWAP ? _cdf_tole4(x) : (uint32_t)(x))) ++#define CDF_TOLE2(x) ((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x))) ++#define CDF_GETUINT32(x, y) cdf_getuint32(x, y) + ++ + /* + * swap a short + */ +-uint16_t +-cdf_tole2(uint16_t sv) ++static uint16_t ++_cdf_tole2(uint16_t sv) + { + uint16_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[1]; + d[1] = s[0]; + return rv; +@@ -89,12 +93,12 @@ static union { + /* + * swap an int + */ +-uint32_t +-cdf_tole4(uint32_t sv) ++static uint32_t ++_cdf_tole4(uint32_t sv) + { + uint32_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[3]; + d[1] = s[2]; + d[2] = s[1]; +@@ -105,12 +109,12 @@ static union { + /* + * swap a quad + */ +-uint64_t +-cdf_tole8(uint64_t sv) ++static uint64_t ++_cdf_tole8(uint64_t sv) + { + uint64_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[7]; + d[1] = s[6]; + d[2] = s[5]; +@@ -122,11 +126,41 @@ static union { + return rv; + } + ++/* ++ * grab a uint32_t from a possibly unaligned address, and return it in ++ * the native host order. ++ */ ++static uint32_t ++cdf_getuint32(const uint8_t *p, size_t offs) ++{ ++ uint32_t rv; ++ (void)memcpy(&rv, p + offs * sizeof(uint32_t), sizeof(rv)); ++ return CDF_TOLE4(rv); ++} ++ + #define CDF_UNPACK(a) \ + (void)memcpy(&(a), &buf[len], sizeof(a)), len += sizeof(a) + #define CDF_UNPACKA(a) \ + (void)memcpy((a), &buf[len], sizeof(a)), len += sizeof(a) + ++uint16_t ++cdf_tole2(uint16_t sv) ++{ ++ return CDF_TOLE2(sv); ++} ++ ++uint32_t ++cdf_tole4(uint32_t sv) ++{ ++ return CDF_TOLE4(sv); ++} ++ ++uint64_t ++cdf_tole8(uint64_t sv) ++{ ++ return CDF_TOLE8(sv); ++} ++ + void + cdf_swap_header(cdf_header_t *h) + { +@@ -145,15 +179,15 @@ cdf_swap_header(cdf_header_t *h) + h->h_min_size_standard_stream = + CDF_TOLE4(h->h_min_size_standard_stream); + h->h_secid_first_sector_in_short_sat = +- CDF_TOLE4(h->h_secid_first_sector_in_short_sat); ++ CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_short_sat); + h->h_num_sectors_in_short_sat = + CDF_TOLE4(h->h_num_sectors_in_short_sat); + h->h_secid_first_sector_in_master_sat = +- CDF_TOLE4(h->h_secid_first_sector_in_master_sat); ++ CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_master_sat); + h->h_num_sectors_in_master_sat = + CDF_TOLE4(h->h_num_sectors_in_master_sat); + for (i = 0; i < __arraycount(h->h_master_sat); i++) +- h->h_master_sat[i] = CDF_TOLE4(h->h_master_sat[i]); ++ h->h_master_sat[i] = CDF_TOLE4((uint32_t)h->h_master_sat[i]); + } + + void +@@ -186,15 +220,15 @@ void + cdf_swap_dir(cdf_directory_t *d) + { + d->d_namelen = CDF_TOLE2(d->d_namelen); +- d->d_left_child = CDF_TOLE4(d->d_left_child); +- d->d_right_child = CDF_TOLE4(d->d_right_child); +- d->d_storage = CDF_TOLE4(d->d_storage); ++ d->d_left_child = CDF_TOLE4((uint32_t)d->d_left_child); ++ d->d_right_child = CDF_TOLE4((uint32_t)d->d_right_child); ++ d->d_storage = CDF_TOLE4((uint32_t)d->d_storage); + d->d_storage_uuid[0] = CDF_TOLE8(d->d_storage_uuid[0]); + d->d_storage_uuid[1] = CDF_TOLE8(d->d_storage_uuid[1]); + d->d_flags = CDF_TOLE4(d->d_flags); +- d->d_created = CDF_TOLE8(d->d_created); +- d->d_modified = CDF_TOLE8(d->d_modified); +- d->d_stream_first_sector = CDF_TOLE4(d->d_stream_first_sector); ++ d->d_created = CDF_TOLE8((uint64_t)d->d_created); ++ d->d_modified = CDF_TOLE8((uint64_t)d->d_modified); ++ d->d_stream_first_sector = CDF_TOLE4((uint32_t)d->d_stream_first_sector); + d->d_size = CDF_TOLE4(d->d_size); + } + +@@ -228,14 +262,18 @@ cdf_unpack_dir(cdf_directory_t *d, char *buf) + } + + static int +-cdf_check_stream_offset(const cdf_stream_t *sst, const void *p, size_t tail) ++cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, ++ const void *p, size_t tail, int line) + { + const char *b = (const char *)sst->sst_tab; + const char *e = ((const char *)p) + tail; +- if (e >= b && (size_t)(e - b) < sst->sst_dirlen * sst->sst_len) ++ (void)&line; ++ if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) + return 0; +- DPRINTF((stderr, "offset begin %p end %p %zu >= %zu\n", b, e, +- (size_t)(e - b), sst->sst_dirlen * sst->sst_len)); ++ DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" ++ " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" ++ SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), ++ CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); + errno = EFTYPE; + return -1; + } +@@ -278,7 +316,8 @@ cdf_read_header(const cdf_info_t *info, cdf_header + cdf_unpack_header(h, buf); + cdf_swap_header(h); + if (h->h_magic != CDF_MAGIC) { +- DPRINTF(("Bad magic 0x%llx != 0x%llx\n", ++ DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%" ++ INT64_T_FORMAT "x\n", + (unsigned long long)h->h_magic, + (unsigned long long)CDF_MAGIC)); + goto out; +@@ -303,9 +342,10 @@ ssize_t + cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len, + const cdf_header_t *h, cdf_secid_t id) + { +- assert((size_t)CDF_SEC_SIZE(h) == len); +- return cdf_read(info, (off_t)CDF_SEC_POS(h, id), +- ((char *)buf) + offs, len); ++ size_t ss = CDF_SEC_SIZE(h); ++ size_t pos = CDF_SEC_POS(h, id); ++ assert(ss == len); ++ return cdf_read(info, (off_t)pos, ((char *)buf) + offs, len); + } + + ssize_t +@@ -312,9 +352,17 @@ ssize_t + cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, + size_t len, const cdf_header_t *h, cdf_secid_t id) + { +- assert((size_t)CDF_SHORT_SEC_SIZE(h) == len); ++ size_t ss = CDF_SHORT_SEC_SIZE(h); ++ size_t pos = CDF_SHORT_SEC_POS(h, id); ++ assert(ss == len); ++ if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" ++ SIZE_T_FORMAT "u\n", ++ pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ return -1; ++ } + (void)memcpy(((char *)buf) + offs, +- ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len); ++ ((const char *)sst->sst_tab) + pos, len); + return len; + } + +@@ -334,17 +382,20 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + break; + + #define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss)) +- if (h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec || ++ if ((nsatpersec > 0 && ++ h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) || + i > CDF_SEC_LIMIT) { +- DPRINTF(("Number of sectors in master SAT too big %u %zu\n", +- h->h_num_sectors_in_master_sat, i)); ++ DPRINTF(("Number of sectors in master SAT too big %u %" ++ SIZE_T_FORMAT "u\n", h->h_num_sectors_in_master_sat, i)); + errno = EFTYPE; + return -1; + } + + sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i; +- DPRINTF(("sat_len = %zu ss = %zu\n", sat->sat_len, ss)); +- if ((sat->sat_tab = calloc(sat->sat_len, ss)) == NULL) ++ DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n", ++ sat->sat_len, ss)); ++ if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss))) ++ == NULL) + return -1; + + for (i = 0; i < __arraycount(h->h_master_sat); i++) { +@@ -357,7 +408,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + } + } + +- if ((msa = calloc(1, ss)) == NULL) ++ if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL) + goto out1; + + mid = h->h_secid_first_sector_in_master_sat; +@@ -374,12 +425,12 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + goto out2; + } + for (k = 0; k < nsatpersec; k++, i++) { +- sec = CDF_TOLE4(msa[k]); ++ sec = CDF_TOLE4((uint32_t)msa[k]); + if (sec < 0) + goto out; + if (i >= sat->sat_len) { +- DPRINTF(("Out of bounds reading MSA %u >= %u", +- i, sat->sat_len)); ++ DPRINTF(("Out of bounds reading MSA %" SIZE_T_FORMAT ++ "u >= %" SIZE_T_FORMAT "u", i, sat->sat_len)); + errno = EFTYPE; + goto out2; + } +@@ -390,7 +441,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + goto out2; + } + } +- mid = CDF_TOLE4(msa[nsatpersec]); ++ mid = CDF_TOLE4((uint32_t)msa[nsatpersec]); + } + out: + sat->sat_len = i; +@@ -422,7 +473,7 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t + errno = EFTYPE; + return (size_t)-1; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + DPRINTF(("\n")); + return i; +@@ -452,7 +503,8 @@ cdf_read_long_sector_chain(const cdf_info_t *info, + } + if (i >= scn->sst_len) { + DPRINTF(("Out of bounds reading long sector chain " +- "%u > %u\n", i, scn->sst_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, ++ scn->sst_len)); + errno = EFTYPE; + goto out; + } +@@ -465,7 +517,7 @@ cdf_read_long_sector_chain(const cdf_info_t *info, + DPRINTF(("Reading long sector chain %d", sid)); + goto out; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + return 0; + out: +@@ -497,7 +549,8 @@ cdf_read_short_sector_chain(const cdf_header_t *h, + } + if (i >= scn->sst_len) { + DPRINTF(("Out of bounds reading short sector chain " +- "%u > %u\n", i, scn->sst_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", ++ i, scn->sst_len)); + errno = EFTYPE; + goto out; + } +@@ -506,7 +559,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h, + DPRINTF(("Reading short sector chain %d", sid)); + goto out; + } +- sid = CDF_TOLE4(ssat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)ssat->sat_tab[sid]); + } + return 0; + out: +@@ -520,7 +573,7 @@ cdf_read_sector_chain(const cdf_info_t *info, cons + cdf_secid_t sid, size_t len, cdf_stream_t *scn) + { + +- if (len < h->h_min_size_standard_stream) ++ if (len < h->h_min_size_standard_stream && sst->sst_tab != NULL) + return cdf_read_short_sector_chain(h, ssat, sst, sid, len, + scn); + else +@@ -543,11 +596,12 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea + nd = ss / CDF_DIRECTORY_SIZE; + + dir->dir_len = ns * nd; +- dir->dir_tab = calloc(dir->dir_len, sizeof(dir->dir_tab[0])); ++ dir->dir_tab = CAST(cdf_directory_t *, ++ calloc(dir->dir_len, sizeof(dir->dir_tab[0]))); + if (dir->dir_tab == NULL) + return -1; + +- if ((buf = malloc(ss)) == NULL) { ++ if ((buf = CAST(char *, malloc(ss))) == NULL) { + free(dir->dir_tab); + return -1; + } +@@ -566,7 +620,7 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea + cdf_unpack_dir(&dir->dir_tab[i * nd + j], + &buf[j * CDF_DIRECTORY_SIZE]); + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + if (NEED_SWAP) + for (i = 0; i < dir->dir_len; i++) +@@ -592,7 +646,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + if (ssat->sat_len == (size_t)-1) + return -1; + +- ssat->sat_tab = calloc(ssat->sat_len, ss); ++ ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss)); + if (ssat->sat_tab == NULL) + return -1; + +@@ -604,7 +658,8 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + } + if (i >= ssat->sat_len) { + DPRINTF(("Out of bounds reading short sector chain " +- "%u > %u\n", i, ssat->sat_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, ++ ssat->sat_len)); + errno = EFTYPE; + goto out; + } +@@ -613,7 +668,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + DPRINTF(("Reading short sat sector %d", sid)); + goto out; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + return 0; + out: +@@ -641,7 +696,7 @@ cdf_read_short_stream(const cdf_info_t *info, cons + if (d->d_stream_first_sector < 0) + goto out; + +- return cdf_read_long_sector_chain(info, h, sat, ++ return cdf_read_long_sector_chain(info, h, sat, + d->d_stream_first_sector, d->d_size, scn); + out: + scn->sst_tab = NULL; +@@ -668,29 +723,29 @@ cdf_read_summary_info(const cdf_info_t *info, cons + const cdf_directory_t *d; + static const char name[] = "\05SummaryInformation"; + +- for (i = 0; i < dir->dir_len; i++) +- if (dir->dir_tab[i].d_type == CDF_DIR_TYPE_USER_STREAM && +- cdf_namecmp(name, dir->dir_tab[i].d_name, sizeof(name)) ++ for (i = dir->dir_len; i > 0; i--) ++ if (dir->dir_tab[i - 1].d_type == CDF_DIR_TYPE_USER_STREAM && ++ cdf_namecmp(name, dir->dir_tab[i - 1].d_name, sizeof(name)) + == 0) + break; + +- if (i == dir->dir_len) { ++ if (i == 0) { + DPRINTF(("Cannot find summary information section\n")); +- errno = EFTYPE; ++ errno = ESRCH; + return -1; + } +- d = &dir->dir_tab[i]; ++ d = &dir->dir_tab[i - 1]; + return cdf_read_sector_chain(info, h, sat, ssat, sst, + d->d_stream_first_sector, d->d_size, scn); + } + + int +-cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs, +- cdf_property_info_t **info, size_t *count, size_t *maxcount) ++cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, ++ uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount) + { + const cdf_section_header_t *shp; + cdf_section_header_t sh; +- const uint32_t *p, *q, *e; ++ const uint8_t *p, *q, *e; + int16_t s16; + int32_t s32; + uint32_t u32; +@@ -697,7 +752,7 @@ int + int64_t s64; + uint64_t u64; + cdf_timestamp_t tp; +- size_t i, o, nelements, j; ++ size_t i, o, o4, nelements, j; + cdf_property_info_t *inp; + + if (offs > UINT32_MAX / 4) { +@@ -704,8 +759,9 @@ int + errno = EFTYPE; + goto out; + } +- shp = (const void *)((const char *)sst->sst_tab + offs); +- if (cdf_check_stream_offset(sst, shp, sizeof(*shp)) == -1) ++ shp = CAST(const cdf_section_header_t *, (const void *) ++ ((const char *)sst->sst_tab + offs)); ++ if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1) + goto out; + sh.sh_len = CDF_TOLE4(shp->sh_len); + #define CDF_SHLEN_LIMIT (UINT32_MAX / 8) +@@ -723,10 +779,12 @@ int + if (*maxcount > CDF_PROP_LIMIT) + goto out; + *maxcount += sh.sh_properties; +- inp = realloc(*info, *maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ realloc(*info, *maxcount * sizeof(*inp))); + } else { + *maxcount = sh.sh_properties; +- inp = malloc(*maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ malloc(*maxcount * sizeof(*inp))); + } + if (inp == NULL) + goto out; +@@ -733,65 +791,87 @@ int + *info = inp; + inp += *count; + *count += sh.sh_properties; +- p = (const void *)((const char *)sst->sst_tab + offs + sizeof(sh)); +- e = (const void *)(((const char *)shp) + sh.sh_len); +- if (cdf_check_stream_offset(sst, e, 0) == -1) ++ p = CAST(const uint8_t *, (const void *) ++ ((const char *)(const void *)sst->sst_tab + ++ offs + sizeof(sh))); ++ e = CAST(const uint8_t *, (const void *) ++ (((const char *)(const void *)shp) + sh.sh_len)); ++ if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- q = (const uint32_t *)((const char *)p + +- CDF_TOLE4(p[(i << 1) + 1])) - 2; ++ size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ q = (const uint8_t *)(const void *) ++ ((const char *)(const void *)p + ofs ++ - 2 * sizeof(uint32_t)); + if (q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; + } +- inp[i].pi_id = CDF_TOLE4(p[i << 1]); +- inp[i].pi_type = CDF_TOLE4(q[0]); +- DPRINTF(("%d) id=%x type=%x offs=%x\n", i, inp[i].pi_id, +- inp[i].pi_type, (const char *)q - (const char *)p)); ++ inp[i].pi_id = CDF_GETUINT32(p, i << 1); ++ inp[i].pi_type = CDF_GETUINT32(q, 0); ++ DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n", ++ i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); + if (inp[i].pi_type & CDF_VECTOR) { +- nelements = CDF_TOLE4(q[1]); ++ nelements = CDF_GETUINT32(q, 1); + o = 2; + } else { + nelements = 1; + o = 1; + } ++ o4 = o * sizeof(uint32_t); + if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED)) + goto unknown; + switch (inp[i].pi_type & CDF_TYPEMASK) { ++ case CDF_NULL: + case CDF_EMPTY: + break; + case CDF_SIGNED16: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s16, &q[o], sizeof(s16)); ++ (void)memcpy(&s16, &q[o4], sizeof(s16)); + inp[i].pi_s16 = CDF_TOLE2(s16); + break; + case CDF_SIGNED32: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s32, &q[o], sizeof(s32)); +- inp[i].pi_s32 = CDF_TOLE4(s32); ++ (void)memcpy(&s32, &q[o4], sizeof(s32)); ++ inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32); + break; + case CDF_BOOL: + case CDF_UNSIGNED32: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&u32, &q[o], sizeof(u32)); ++ (void)memcpy(&u32, &q[o4], sizeof(u32)); + inp[i].pi_u32 = CDF_TOLE4(u32); + break; + case CDF_SIGNED64: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s64, &q[o], sizeof(s64)); +- inp[i].pi_s64 = CDF_TOLE4(s64); ++ (void)memcpy(&s64, &q[o4], sizeof(s64)); ++ inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64); + break; + case CDF_UNSIGNED64: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&u64, &q[o], sizeof(u64)); +- inp[i].pi_u64 = CDF_TOLE4(u64); ++ (void)memcpy(&u64, &q[o4], sizeof(u64)); ++ inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64); + break; ++ case CDF_FLOAT: ++ if (inp[i].pi_type & CDF_VECTOR) ++ goto unknown; ++ (void)memcpy(&u32, &q[o4], sizeof(u32)); ++ u32 = CDF_TOLE4(u32); ++ memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f)); ++ break; ++ case CDF_DOUBLE: ++ if (inp[i].pi_type & CDF_VECTOR) ++ goto unknown; ++ (void)memcpy(&u64, &q[o4], sizeof(u64)); ++ u64 = CDF_TOLE8((uint64_t)u64); ++ memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d)); ++ break; + case CDF_LENGTH32_STRING: ++ case CDF_LENGTH32_WSTRING: + if (nelements > 1) { + size_t nelem = inp - *info; + if (*maxcount > CDF_PROP_LIMIT +@@ -798,22 +878,30 @@ int + || nelements > CDF_PROP_LIMIT) + goto out; + *maxcount += nelements; +- inp = realloc(*info, *maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ realloc(*info, *maxcount * sizeof(*inp))); + if (inp == NULL) + goto out; + *info = inp; + inp = *info + nelem; + } +- DPRINTF(("nelements = %d\n", nelements)); ++ DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", ++ nelements)); + for (j = 0; j < nelements; j++, i++) { +- uint32_t l = CDF_TOLE4(q[o]); ++ uint32_t l = CDF_GETUINT32(q, o); + inp[i].pi_str.s_len = l; +- inp[i].pi_str.s_buf = (const char *)(&q[o+1]); +- DPRINTF(("l = %d, r = %d, s = %s\n", l, ++ inp[i].pi_str.s_buf = (const char *) ++ (const void *)(&q[o4 + sizeof(l)]); ++ DPRINTF(("l = %d, r = %" SIZE_T_FORMAT ++ "u, s = %s\n", l, + CDF_ROUND(l, sizeof(l)), + inp[i].pi_str.s_buf)); +- l = 4 + CDF_ROUND(l, sizeof(l)); +- o += l >> 2; ++ if (l & 1) ++ l++; ++ o += l >> 1; ++ if (q + o >= e) ++ goto out; ++ o4 = o * sizeof(uint32_t); + } + i--; + break; +@@ -820,8 +908,8 @@ int + case CDF_FILETIME: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&tp, &q[o], sizeof(tp)); +- inp[i].pi_tp = CDF_TOLE8(tp); ++ (void)memcpy(&tp, &q[o4], sizeof(tp)); ++ inp[i].pi_tp = CDF_TOLE8((uint64_t)tp); + break; + case CDF_CLIPBOARD: + if (inp[i].pi_type & CDF_VECTOR) +@@ -831,7 +919,7 @@ int + unknown: + DPRINTF(("Don't know how to deal with %x\n", + inp[i].pi_type)); +- goto out; ++ break; + } + } + return 0; +@@ -841,16 +929,18 @@ out: + } + + int +-cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi, +- cdf_property_info_t **info, size_t *count) ++cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, ++ cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) + { + size_t i, maxcount; +- const cdf_summary_info_header_t *si = sst->sst_tab; +- const cdf_section_declaration_t *sd = (const void *) +- ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET); ++ const cdf_summary_info_header_t *si = ++ CAST(const cdf_summary_info_header_t *, sst->sst_tab); ++ const cdf_section_declaration_t *sd = ++ CAST(const cdf_section_declaration_t *, (const void *) ++ ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET)); + +- if (cdf_check_stream_offset(sst, si, sizeof(*si)) == -1 || +- cdf_check_stream_offset(sst, sd, sizeof(*sd)) == -1) ++ if (cdf_check_stream_offset(sst, h, si, sizeof(*si), __LINE__) == -1 || ++ cdf_check_stream_offset(sst, h, sd, sizeof(*sd), __LINE__) == -1) + return -1; + ssi->si_byte_order = CDF_TOLE2(si->si_byte_order); + ssi->si_os_version = CDF_TOLE2(si->si_os_version); +@@ -867,9 +957,10 @@ int + errno = EFTYPE; + return -1; + } +- if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset), +- info, count, &maxcount) == -1) ++ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), ++ info, count, &maxcount) == -1) { + return -1; ++ } + } + return 0; + } +@@ -926,32 +1017,32 @@ cdf_print_property_name(char *buf, size_t bufsiz, + int + cdf_print_elapsed_time(char *buf, size_t bufsiz, cdf_timestamp_t ts) + { +- size_t len = 0; ++ int len = 0; + int days, hours, mins, secs; + + ts /= CDF_TIME_PREC; +- secs = ts % 60; ++ secs = (int)(ts % 60); + ts /= 60; +- mins = ts % 60; ++ mins = (int)(ts % 60); + ts /= 60; +- hours = ts % 24; ++ hours = (int)(ts % 24); + ts /= 24; +- days = ts; ++ days = (int)ts; + + if (days) { + len += snprintf(buf + len, bufsiz - len, "%dd+", days); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + } + + if (days || hours) { + len += snprintf(buf + len, bufsiz - len, "%.2d:", hours); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + } + + len += snprintf(buf + len, bufsiz - len, "%.2d:", mins); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + + len += snprintf(buf + len, bufsiz - len, "%.2d", secs); +@@ -994,13 +1085,14 @@ cdf_dump_sat(const char *prefix, const cdf_sat_t * + size_t i, j, s = size / sizeof(cdf_secid_t); + + for (i = 0; i < sat->sat_len; i++) { +- (void)fprintf(stderr, "%s[%zu]:\n%.6d: ", prefix, i, i * s); ++ (void)fprintf(stderr, "%s[%" SIZE_T_FORMAT "u]:\n%.6" ++ SIZE_T_FORMAT "u: ", prefix, i, i * s); + for (j = 0; j < s; j++) { + (void)fprintf(stderr, "%5d, ", + CDF_TOLE4(sat->sat_tab[s * i + j])); + if ((j + 1) % 10 == 0) +- (void)fprintf(stderr, "\n%.6d: ", +- i * s + j + 1); ++ (void)fprintf(stderr, "\n%.6" SIZE_T_FORMAT ++ "u: ", i * s + j + 1); + } + (void)fprintf(stderr, "\n"); + } +@@ -1019,7 +1111,8 @@ cdf_dump(void *v, size_t len) + if (j == 16) { + j = 0; + abuf[15] = '\0'; +- (void)fprintf(stderr, "%s\n%.4x: ", abuf, i + 1); ++ (void)fprintf(stderr, "%s\n%.4" SIZE_T_FORMAT "x: ", ++ abuf, i + 1); + } + } + (void)fprintf(stderr, "\n"); +@@ -1051,7 +1144,8 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + d = &dir->dir_tab[i]; + for (j = 0; j < sizeof(name); j++) + name[j] = (char)CDF_TOLE2(d->d_name[j]); +- (void)fprintf(stderr, "Directory %zu: %s\n", i, name); ++ (void)fprintf(stderr, "Directory %" SIZE_T_FORMAT "u: %s\n", ++ i, name); + if (d->d_type < __arraycount(types)) + (void)fprintf(stderr, "Type: %s\n", types[d->d_type]); + else +@@ -1062,9 +1156,9 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + (void)fprintf(stderr, "Right child: %d\n", d->d_right_child); + (void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags); + cdf_timestamp_to_timespec(&ts, d->d_created); +- (void)fprintf(stderr, "Created %s", ctime(&ts.tv_sec)); ++ (void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec)); + cdf_timestamp_to_timespec(&ts, d->d_modified); +- (void)fprintf(stderr, "Modified %s", ctime(&ts.tv_sec)); ++ (void)fprintf(stderr, "Modified %s", cdf_ctime(&ts.tv_sec)); + (void)fprintf(stderr, "Stream %d\n", d->d_stream_first_sector); + (void)fprintf(stderr, "Size %d\n", d->d_size); + switch (d->d_type) { +@@ -1086,7 +1180,7 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + default: + break; + } +- ++ + } + } + +@@ -1096,12 +1190,14 @@ cdf_dump_property_info(const cdf_property_info_t * + cdf_timestamp_t tp; + struct timespec ts; + char buf[64]; +- size_t i; ++ size_t i, j; + + for (i = 0; i < count; i++) { + cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); +- (void)fprintf(stderr, "%zu) %s: ", i, buf); ++ (void)fprintf(stderr, "%" SIZE_T_FORMAT "u) %s: ", i, buf); + switch (info[i].pi_type) { ++ case CDF_NULL: ++ break; + case CDF_SIGNED16: + (void)fprintf(stderr, "signed 16 [%hd]\n", + info[i].pi_s16); +@@ -1114,11 +1210,26 @@ cdf_dump_property_info(const cdf_property_info_t * + (void)fprintf(stderr, "unsigned 32 [%u]\n", + info[i].pi_u32); + break; ++ case CDF_FLOAT: ++ (void)fprintf(stderr, "float [%g]\n", ++ info[i].pi_f); ++ break; ++ case CDF_DOUBLE: ++ (void)fprintf(stderr, "double [%g]\n", ++ info[i].pi_d); ++ break; + case CDF_LENGTH32_STRING: + (void)fprintf(stderr, "string %u [%.*s]\n", + info[i].pi_str.s_len, + info[i].pi_str.s_len, info[i].pi_str.s_buf); + break; ++ case CDF_LENGTH32_WSTRING: ++ (void)fprintf(stderr, "string %u [", ++ info[i].pi_str.s_len); ++ for (j = 0; j < info[i].pi_str.s_len - 1; j++) ++ (void)fputc(info[i].pi_str.s_buf[j << 1], stderr); ++ (void)fprintf(stderr, "]\n"); ++ break; + case CDF_FILETIME: + tp = info[i].pi_tp; + if (tp < 1000000000000000LL) { +@@ -1127,7 +1238,7 @@ cdf_dump_property_info(const cdf_property_info_t * + } else { + cdf_timestamp_to_timespec(&ts, tp); + (void)fprintf(stderr, "timestamp %s", +- ctime(&ts.tv_sec)); ++ cdf_ctime(&ts.tv_sec)); + } + break; + case CDF_CLIPBOARD: +@@ -1151,7 +1262,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const + size_t count; + + (void)&h; +- if (cdf_unpack_summary_info(sst, &ssi, &info, &count) == -1) ++ if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1) + return; + (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order); + (void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff, +@@ -1203,7 +1314,7 @@ main(int argc, char *argv[]) + if (cdf_read_ssat(&info, &h, &sat, &ssat) == -1) + err(1, "Cannot read ssat"); + #ifdef CDF_DEBUG +- cdf_dump_sat("SSAT", &h, &ssat, CDF_SHORT_SEC_SIZE(&h)); ++ cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h)); + #endif + + if (cdf_read_dir(&info, &h, &sat, &dir) == -1) +Index: contrib/file/cdf.h +=================================================================== +--- contrib/file/cdf.h (revision 267806) ++++ contrib/file/cdf.h (working copy) +@@ -24,12 +24,27 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + /* +- * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * Parse Composite Document Files, the format used in Microsoft Office ++ * document files before they switched to zipped XML. ++ * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * ++ * N.B. This is the "Composite Document File" format, and not the ++ * "Compound Document Format", nor the "Channel Definition Format". + */ + + #ifndef _H_CDF_ + #define _H_CDF_ + ++#ifdef WIN32 ++#include <winsock2.h> ++#define timespec timeval ++#define tv_nsec tv_usec ++#endif ++#ifdef __DJGPP__ ++#define timespec timeval ++#define tv_nsec tv_usec ++#endif ++ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 +@@ -36,8 +51,8 @@ typedef int32_t cdf_secid_t; + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 +-#define CDF_SECID_END_OF_CHAIN -2 +-#define CDF_SECID_SECTOR_ALLOCATION_TABLE -3 ++#define CDF_SECID_END_OF_CHAIN -2 ++#define CDF_SECID_SECTOR_ALLOCATION_TABLE -3 + #define CDF_SECID_MASTER_SECTOR_ALLOCATION_TABLE -4 + + typedef struct { +@@ -61,15 +76,15 @@ typedef struct { + cdf_secid_t h_master_sat[436/4]; + } cdf_header_t; + +-#define CDF_SEC_SIZE(h) (1 << (h)->h_sec_size_p2) ++#define CDF_SEC_SIZE(h) ((size_t)(1 << (h)->h_sec_size_p2)) + #define CDF_SEC_POS(h, secid) (CDF_SEC_SIZE(h) + (secid) * CDF_SEC_SIZE(h)) +-#define CDF_SHORT_SEC_SIZE(h) (1 << (h)->h_short_sec_size_p2) ++#define CDF_SHORT_SEC_SIZE(h) ((size_t)(1 << (h)->h_short_sec_size_p2)) + #define CDF_SHORT_SEC_POS(h, secid) ((secid) * CDF_SHORT_SEC_SIZE(h)) + +-typedef int32_t cdf_dirid_t; ++typedef int32_t cdf_dirid_t; + #define CDF_DIRID_NULL -1 + +-typedef int64_t cdf_timestamp_t; ++typedef int64_t cdf_timestamp_t; + #define CDF_BASE_YEAR 1601 + #define CDF_TIME_PREC 10000000 + +@@ -78,11 +93,11 @@ typedef struct { + uint16_t d_namelen; + uint8_t d_type; + #define CDF_DIR_TYPE_EMPTY 0 +-#define CDF_DIR_TYPE_USER_STORAGE 1 +-#define CDF_DIR_TYPE_USER_STREAM 2 +-#define CDF_DIR_TYPE_LOCKBYTES 3 +-#define CDF_DIR_TYPE_PROPERTY 4 +-#define CDF_DIR_TYPE_ROOT_STORAGE 5 ++#define CDF_DIR_TYPE_USER_STORAGE 1 ++#define CDF_DIR_TYPE_USER_STREAM 2 ++#define CDF_DIR_TYPE_LOCKBYTES 3 ++#define CDF_DIR_TYPE_PROPERTY 4 ++#define CDF_DIR_TYPE_ROOT_STORAGE 5 + uint8_t d_color; + #define CDF_DIR_COLOR_READ 0 + #define CDF_DIR_COLOR_BLACK 1 +@@ -91,8 +106,8 @@ typedef struct { + cdf_dirid_t d_storage; + uint64_t d_storage_uuid[2]; + uint32_t d_flags; +- cdf_timestamp_t d_created; +- cdf_timestamp_t d_modified; ++ cdf_timestamp_t d_created; ++ cdf_timestamp_t d_modified; + cdf_secid_t d_stream_first_sector; + uint32_t d_size; + uint32_t d_unused0; +@@ -154,7 +169,9 @@ typedef struct { + int32_t _pi_s32; + uint64_t _pi_u64; + int64_t _pi_s64; +- cdf_timestamp_t _pi_tp; ++ cdf_timestamp_t _pi_tp; ++ float _pi_f; ++ double _pi_d; + struct { + uint32_t s_len; + const char *s_buf; +@@ -166,6 +183,8 @@ typedef struct { + #define pi_s32 pi_val._pi_s32 + #define pi_u16 pi_val._pi_u16 + #define pi_s16 pi_val._pi_s16 ++#define pi_f pi_val._pi_f ++#define pi_d pi_val._pi_d + #define pi_tp pi_val._pi_tp + #define pi_str pi_val._pi_str + } cdf_property_info_t; +@@ -174,13 +193,13 @@ typedef struct { + + /* Variant type definitions */ + #define CDF_EMPTY 0x00000000 +-#define CDF_NULL 0x00000001 ++#define CDF_NULL 0x00000001 + #define CDF_SIGNED16 0x00000002 + #define CDF_SIGNED32 0x00000003 + #define CDF_FLOAT 0x00000004 + #define CDF_DOUBLE 0x00000005 + #define CDF_CY 0x00000006 +-#define CDF_DATE 0x00000007 ++#define CDF_DATE 0x00000007 + #define CDF_BSTR 0x00000008 + #define CDF_DISPATCH 0x00000009 + #define CDF_ERROR 0x0000000a +@@ -191,7 +210,7 @@ typedef struct { + #define CDF_SIGNED8 0x00000010 + #define CDF_UNSIGNED8 0x00000011 + #define CDF_UNSIGNED16 0x00000012 +-#define CDF_UNSIGNED32 0x00000013 ++#define CDF_UNSIGNED32 0x00000013 + #define CDF_SIGNED64 0x00000014 + #define CDF_UNSIGNED64 0x00000015 + #define CDF_INT 0x00000016 +@@ -226,7 +245,7 @@ typedef struct { + #define CDF_PROPERTY_SUBJECT 0x00000003 + #define CDF_PROPERTY_AUTHOR 0x00000004 + #define CDF_PROPERTY_KEYWORDS 0x00000005 +-#define CDF_PROPERTY_COMMENTS 0x00000006 ++#define CDF_PROPERTY_COMMENTS 0x00000006 + #define CDF_PROPERTY_TEMPLATE 0x00000007 + #define CDF_PROPERTY_LAST_SAVED_BY 0x00000008 + #define CDF_PROPERTY_REVISION_NUMBER 0x00000009 +@@ -276,13 +295,13 @@ int cdf_read_ssat(const cdf_info_t *, const cdf_he + cdf_sat_t *); + int cdf_read_short_stream(const cdf_info_t *, const cdf_header_t *, + const cdf_sat_t *, const cdf_dir_t *, cdf_stream_t *); +-int cdf_read_property_info(const cdf_stream_t *, uint32_t, ++int cdf_read_property_info(const cdf_stream_t *, const cdf_header_t *, uint32_t, + cdf_property_info_t **, size_t *, size_t *); + int cdf_read_summary_info(const cdf_info_t *, const cdf_header_t *, + const cdf_sat_t *, const cdf_sat_t *, const cdf_stream_t *, + const cdf_dir_t *, cdf_stream_t *); +-int cdf_unpack_summary_info(const cdf_stream_t *, cdf_summary_info_header_t *, +- cdf_property_info_t **, size_t *); ++int cdf_unpack_summary_info(const cdf_stream_t *, const cdf_header_t *, ++ cdf_summary_info_header_t *, cdf_property_info_t **, size_t *); + int cdf_print_classid(char *, size_t, const cdf_classid_t *); + int cdf_print_property_name(char *, size_t, uint32_t); + int cdf_print_elapsed_time(char *, size_t, cdf_timestamp_t); +@@ -289,6 +308,7 @@ int cdf_print_elapsed_time(char *, size_t, cdf_tim + uint16_t cdf_tole2(uint16_t); + uint32_t cdf_tole4(uint32_t); + uint64_t cdf_tole8(uint64_t); ++char *cdf_ctime(const time_t *); + + #ifdef CDF_DEBUG + void cdf_dump_header(const cdf_header_t *); +Index: contrib/file/cdf_time.c +=================================================================== +--- contrib/file/cdf_time.c (revision 267806) ++++ contrib/file/cdf_time.c (working copy) +@@ -27,7 +27,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: cdf_time.c,v 1.6 2009/03/10 11:44:29 christos Exp $") ++FILE_RCSID("@(#)$File: cdf_time.c,v 1.10 2011/02/10 17:03:16 christos Exp $") + #endif + + #include <time.h> +@@ -108,22 +108,22 @@ cdf_timestamp_to_timespec(struct timespec *ts, cdf + ts->tv_nsec = (t % CDF_TIME_PREC) * 100; + + t /= CDF_TIME_PREC; +- tm.tm_sec = t % 60; ++ tm.tm_sec = (int)(t % 60); + t /= 60; + +- tm.tm_min = t % 60; ++ tm.tm_min = (int)(t % 60); + t /= 60; + +- tm.tm_hour = t % 24; ++ tm.tm_hour = (int)(t % 24); + t /= 24; + + // XXX: Approx +- tm.tm_year = CDF_BASE_YEAR + (t / 365); ++ tm.tm_year = (int)(CDF_BASE_YEAR + (t / 365)); + + rdays = cdf_getdays(tm.tm_year); +- t -= rdays; +- tm.tm_mday = cdf_getday(tm.tm_year, t); +- tm.tm_mon = cdf_getmonth(tm.tm_year, t); ++ t -= rdays - 1; ++ tm.tm_mday = cdf_getday(tm.tm_year, (int)t); ++ tm.tm_mon = cdf_getmonth(tm.tm_year, (int)t); + tm.tm_wday = 0; + tm.tm_yday = 0; + tm.tm_isdst = 0; +@@ -143,10 +143,13 @@ cdf_timestamp_to_timespec(struct timespec *ts, cdf + } + + int ++/*ARGSUSED*/ + cdf_timespec_to_timestamp(cdf_timestamp_t *t, const struct timespec *ts) + { ++#ifndef __lint__ + (void)&t; + (void)&ts; ++#endif + #ifdef notyet + struct tm tm; + if (gmtime_r(&ts->ts_sec, &tm) == NULL) { +@@ -162,7 +165,19 @@ cdf_timespec_to_timestamp(cdf_timestamp_t *t, cons + return 0; + } + ++char * ++cdf_ctime(const time_t *sec) ++{ ++ static char ctbuf[26]; ++ char *ptr = ctime(sec); ++ if (ptr != NULL) ++ return ptr; ++ (void)snprintf(ctbuf, sizeof(ctbuf), "*Bad* 0x%16.16llx\n", ++ (long long)*sec); ++ return ctbuf; ++} + ++ + #ifdef TEST + int + main(int argc, char *argv[]) +@@ -173,7 +188,7 @@ main(int argc, char *argv[]) + char *p, *q; + + cdf_timestamp_to_timespec(&ts, tst); +- p = ctime(&ts.tv_sec); ++ p = cdf_ctime(&ts.tv_sec); + if ((q = strchr(p, '\n')) != NULL) + *q = '\0'; + if (strcmp(ref, p) != 0) +Index: contrib/file/file.h +=================================================================== +--- contrib/file/file.h (revision 267806) ++++ contrib/file/file.h (working copy) +@@ -71,6 +71,10 @@ + #endif + #define public + ++#ifndef __arraycount ++#define __arraycount(a) (sizeof(a) / sizeof(a[0])) ++#endif ++ + #ifndef __GNUC_PREREQ__ + #ifdef __GNUC__ + #define __GNUC_PREREQ__(x, y) \ +@@ -367,7 +371,7 @@ protected int file_encoding(struct magic_set *, co + unichar **, size_t *, const char **, const char **, const char **); + protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); + protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, +- int); ++ size_t, int); + protected struct mlist *file_apprentice(struct magic_set *, const char *, int); + protected uint64_t file_signextend(struct magic_set *, struct magic *, + uint64_t); +Index: contrib/file/funcs.c +=================================================================== +--- contrib/file/funcs.c (revision 267806) ++++ contrib/file/funcs.c (working copy) +@@ -227,7 +227,7 @@ file_buffer(struct magic_set *ms, int fd, const ch + + /* try soft magic tests */ + if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) +- if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) { ++ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) { + if ((ms->flags & MAGIC_DEBUG) != 0) + (void)fprintf(stderr, "softmagic %d\n", m); + #ifdef BUILTIN_ELF +Index: contrib/file/readcdf.c +=================================================================== +--- contrib/file/readcdf.c (revision 267806) ++++ contrib/file/readcdf.c (working copy) +@@ -26,7 +26,7 @@ + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: readcdf.c,v 1.18 2009/05/06 20:48:22 christos Exp $") ++FILE_RCSID("@(#)$File: readcdf.c,v 1.28 2012/02/17 05:27:45 christos Exp $") + #endif + + #include <stdlib.h> +@@ -44,145 +44,168 @@ private int + cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info, + size_t count) + { +- size_t i; +- cdf_timestamp_t tp; +- struct timespec ts; +- char buf[64]; +- const char *str = "vnd.ms-office"; +- const char *s; +- int len; ++ size_t i; ++ cdf_timestamp_t tp; ++ struct timespec ts; ++ char buf[64]; ++ const char *str = NULL; ++ const char *s; ++ int len; + +- for (i = 0; i < count; i++) { +- cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); +- switch (info[i].pi_type) { +- case CDF_SIGNED16: +- if (NOTMIME(ms) && file_printf(ms, ", %s: %hd", buf, +- info[i].pi_s16) == -1) +- return -1; +- break; +- case CDF_SIGNED32: +- if (NOTMIME(ms) && file_printf(ms, ", %s: %d", buf, +- info[i].pi_s32) == -1) +- return -1; +- break; +- case CDF_UNSIGNED32: +- if (NOTMIME(ms) && file_printf(ms, ", %s: %u", buf, +- info[i].pi_u32) == -1) +- return -1; +- break; +- case CDF_LENGTH32_STRING: +- len = info[i].pi_str.s_len; +- if (len > 1) { +- s = info[i].pi_str.s_buf; +- if (NOTMIME(ms)) { +- char vbuf[1024]; +- size_t j; +- for (j = 0; j < sizeof(vbuf) && len--; +- j++, s++) { +- if (*s == '\0') +- break; +- if (isprint((unsigned char)*s)) +- vbuf[j] = *s; +- } +- if (j == sizeof(vbuf)) +- --j; +- vbuf[j] = '\0'; +- if (vbuf[0]) { +- if (file_printf(ms, ", %s: %s", +- buf, vbuf) == -1) +- return -1; +- } +- } else if (info[i].pi_id == +- CDF_PROPERTY_NAME_OF_APPLICATION) { +- if (strstr(s, "Word")) +- str = "msword"; +- else if (strstr(s, "Excel")) +- str = "vnd.ms-excel"; +- else if (strstr(s, "Powerpoint")) +- str = "vnd.ms-powerpoint"; +- } +- } +- break; +- case CDF_FILETIME: +- tp = info[i].pi_tp; +- if (tp != 0) { +- if (tp < 1000000000000000LL) { +- char tbuf[64]; +- cdf_print_elapsed_time(tbuf, +- sizeof(tbuf), tp); +- if (NOTMIME(ms) && file_printf(ms, +- ", %s: %s", buf, tbuf) == -1) +- return -1; +- } else { +- char *c, *ec; +- cdf_timestamp_to_timespec(&ts, tp); +- c = ctime(&ts.tv_sec); +- if ((ec = strchr(c, '\n')) != NULL) +- *ec = '\0'; ++ for (i = 0; i < count; i++) { ++ cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); ++ switch (info[i].pi_type) { ++ case CDF_NULL: ++ break; ++ case CDF_SIGNED16: ++ if (NOTMIME(ms) && file_printf(ms, ", %s: %hd", buf, ++ info[i].pi_s16) == -1) ++ return -1; ++ break; ++ case CDF_SIGNED32: ++ if (NOTMIME(ms) && file_printf(ms, ", %s: %d", buf, ++ info[i].pi_s32) == -1) ++ return -1; ++ break; ++ case CDF_UNSIGNED32: ++ if (NOTMIME(ms) && file_printf(ms, ", %s: %u", buf, ++ info[i].pi_u32) == -1) ++ return -1; ++ break; ++ case CDF_FLOAT: ++ if (NOTMIME(ms) && file_printf(ms, ", %s: %g", buf, ++ info[i].pi_f) == -1) ++ return -1; ++ break; ++ case CDF_DOUBLE: ++ if (NOTMIME(ms) && file_printf(ms, ", %s: %g", buf, ++ info[i].pi_d) == -1) ++ return -1; ++ break; ++ case CDF_LENGTH32_STRING: ++ case CDF_LENGTH32_WSTRING: ++ len = info[i].pi_str.s_len; ++ if (len > 1) { ++ char vbuf[1024]; ++ size_t j, k = 1; + +- if (NOTMIME(ms) && file_printf(ms, +- ", %s: %s", buf, c) == -1) +- return -1; +- } +- } +- break; +- case CDF_CLIPBOARD: +- break; +- default: +- return -1; +- } +- } +- if (!NOTMIME(ms)) { +- if (file_printf(ms, "application/%s", str) == -1) +- return -1; +- } +- return 1; ++ if (info[i].pi_type == CDF_LENGTH32_WSTRING) ++ k++; ++ s = info[i].pi_str.s_buf; ++ for (j = 0; j < sizeof(vbuf) && len--; ++ j++, s += k) { ++ if (*s == '\0') ++ break; ++ if (isprint((unsigned char)*s)) ++ vbuf[j] = *s; ++ } ++ if (j == sizeof(vbuf)) ++ --j; ++ vbuf[j] = '\0'; ++ if (NOTMIME(ms)) { ++ if (vbuf[0]) { ++ if (file_printf(ms, ", %s: %s", ++ buf, vbuf) == -1) ++ return -1; ++ } ++ } else if (info[i].pi_id == ++ CDF_PROPERTY_NAME_OF_APPLICATION) { ++ if (strstr(vbuf, "Word")) ++ str = "msword"; ++ else if (strstr(vbuf, "Excel")) ++ str = "vnd.ms-excel"; ++ else if (strstr(vbuf, "Powerpoint")) ++ str = "vnd.ms-powerpoint"; ++ else if (strstr(vbuf, ++ "Crystal Reports")) ++ str = "x-rpt"; ++ } ++ } ++ break; ++ case CDF_FILETIME: ++ tp = info[i].pi_tp; ++ if (tp != 0) { ++ if (tp < 1000000000000000LL) { ++ char tbuf[64]; ++ cdf_print_elapsed_time(tbuf, ++ sizeof(tbuf), tp); ++ if (NOTMIME(ms) && file_printf(ms, ++ ", %s: %s", buf, tbuf) == -1) ++ return -1; ++ } else { ++ char *c, *ec; ++ cdf_timestamp_to_timespec(&ts, tp); ++ c = cdf_ctime(&ts.tv_sec); ++ if ((ec = strchr(c, '\n')) != NULL) ++ *ec = '\0'; ++ ++ if (NOTMIME(ms) && file_printf(ms, ++ ", %s: %s", buf, c) == -1) ++ return -1; ++ } ++ } ++ break; ++ case CDF_CLIPBOARD: ++ break; ++ default: ++ return -1; ++ } ++ } ++ if (!NOTMIME(ms)) { ++ if (str == NULL) ++ return 0; ++ if (file_printf(ms, "application/%s", str) == -1) ++ return -1; ++ } ++ return 1; + } + + private int +-cdf_file_summary_info(struct magic_set *ms, const cdf_stream_t *sst) ++cdf_file_summary_info(struct magic_set *ms, const cdf_header_t *h, ++ const cdf_stream_t *sst) + { +- cdf_summary_info_header_t si; +- cdf_property_info_t *info; +- size_t count; +- int m; ++ cdf_summary_info_header_t si; ++ cdf_property_info_t *info; ++ size_t count; ++ int m; + +- if (cdf_unpack_summary_info(sst, &si, &info, &count) == -1) +- return -1; ++ if (cdf_unpack_summary_info(sst, h, &si, &info, &count) == -1) ++ return -1; + +- if (NOTMIME(ms)) { +- if (file_printf(ms, "CDF V2 Document") == -1) +- return -1; ++ if (NOTMIME(ms)) { ++ if (file_printf(ms, "CDF V2 Document") ++ == -1) ++ return -1; + +- if (file_printf(ms, ", %s Endian", +- si.si_byte_order == 0xfffe ? "Little" : "Big") == -1) +- return -1; +- switch (si.si_os) { +- case 2: +- if (file_printf(ms, ", Os: Windows, Version %d.%d", +- si.si_os_version & 0xff, si.si_os_version >> 8) +- == -1) +- return -1; +- break; +- case 1: +- if (file_printf(ms, ", Os: MacOS, Version %d.%d", +- si.si_os_version >> 8, si.si_os_version & 0xff) +- == -1) +- return -1; +- break; +- default: +- if (file_printf(ms, ", Os %d, Version: %d.%d", si.si_os, +- si.si_os_version & 0xff, si.si_os_version >> 8) +- == -1) +- return -1; +- break; +- } +- } ++ if (file_printf(ms, ", %s Endian", ++ si.si_byte_order == 0xfffe ? "Little" : "Big") == -1) ++ return -2; ++ switch (si.si_os) { ++ case 2: ++ if (file_printf(ms, ", Os: Windows, Version %d.%d", ++ si.si_os_version & 0xff, ++ (uint32_t)si.si_os_version >> 8) == -1) ++ return -2; ++ break; ++ case 1: ++ if (file_printf(ms, ", Os: MacOS, Version %d.%d", ++ (uint32_t)si.si_os_version >> 8, ++ si.si_os_version & 0xff) == -1) ++ return -2; ++ break; ++ default: ++ if (file_printf(ms, ", Os %d, Version: %d.%d", si.si_os, ++ si.si_os_version & 0xff, ++ (uint32_t)si.si_os_version >> 8) == -1) ++ return -2; ++ break; ++ } ++ } + +- m = cdf_file_property_info(ms, info, count); +- free(info); ++ m = cdf_file_property_info(ms, info, count); ++ free(info); + +- return m; ++ return m == -1 ? -2 : m; + } + + protected int +@@ -189,81 +212,107 @@ protected int + file_trycdf(struct magic_set *ms, int fd, const unsigned char *buf, + size_t nbytes) + { +- cdf_info_t info; +- cdf_header_t h; +- cdf_sat_t sat, ssat; +- cdf_stream_t sst, scn; +- cdf_dir_t dir; +- int i; +- const char *expn = ""; ++ cdf_info_t info; ++ cdf_header_t h; ++ cdf_sat_t sat, ssat; ++ cdf_stream_t sst, scn; ++ cdf_dir_t dir; ++ int i; ++ const char *expn = ""; ++ const char *corrupt = "corrupt: "; + +- info.i_fd = fd; +- info.i_buf = buf; +- info.i_len = nbytes; +- if (ms->flags & MAGIC_APPLE) +- return 0; +- if (cdf_read_header(&info, &h) == -1) +- return 0; ++ info.i_fd = fd; ++ info.i_buf = buf; ++ info.i_len = nbytes; ++ if (ms->flags & MAGIC_APPLE) ++ return 0; ++ if (cdf_read_header(&info, &h) == -1) ++ return 0; + #ifdef CDF_DEBUG +- cdf_dump_header(&h); ++ cdf_dump_header(&h); + #endif + +- if ((i = cdf_read_sat(&info, &h, &sat)) == -1) { +- expn = "Can't read SAT"; +- goto out0; +- } ++ if ((i = cdf_read_sat(&info, &h, &sat)) == -1) { ++ expn = "Can't read SAT"; ++ goto out0; ++ } + #ifdef CDF_DEBUG +- cdf_dump_sat("SAT", &sat, CDF_SEC_SIZE(&h)); ++ cdf_dump_sat("SAT", &sat, CDF_SEC_SIZE(&h)); + #endif + +- if ((i = cdf_read_ssat(&info, &h, &sat, &ssat)) == -1) { +- expn = "Can't read SSAT"; +- goto out1; +- } ++ if ((i = cdf_read_ssat(&info, &h, &sat, &ssat)) == -1) { ++ expn = "Can't read SSAT"; ++ goto out1; ++ } + #ifdef CDF_DEBUG +- cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h)); ++ cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h)); + #endif + +- if ((i = cdf_read_dir(&info, &h, &sat, &dir)) == -1) { +- expn = "Can't read directory"; +- goto out2; +- } ++ if ((i = cdf_read_dir(&info, &h, &sat, &dir)) == -1) { ++ expn = "Can't read directory"; ++ goto out2; ++ } + +- if ((i = cdf_read_short_stream(&info, &h, &sat, &dir, &sst)) == -1) { +- expn = "Cannot read short stream"; +- goto out3; +- } ++ if ((i = cdf_read_short_stream(&info, &h, &sat, &dir, &sst)) == -1) { ++ expn = "Cannot read short stream"; ++ goto out3; ++ } + #ifdef CDF_DEBUG +- cdf_dump_dir(&info, &h, &sat, &ssat, &sst, &dir); ++ cdf_dump_dir(&info, &h, &sat, &ssat, &sst, &dir); + #endif + +- if ((i = cdf_read_summary_info(&info, &h, &sat, &ssat, &sst, &dir, +- &scn)) == -1) { +- expn = "Cannot read summary info"; +- goto out4; +- } ++ if ((i = cdf_read_summary_info(&info, &h, &sat, &ssat, &sst, &dir, ++ &scn)) == -1) { ++ if (errno == ESRCH) { ++ corrupt = expn; ++ expn = "No summary info"; ++ } else { ++ expn = "Cannot read summary info"; ++ } ++ goto out4; ++ } + #ifdef CDF_DEBUG +- cdf_dump_summary_info(&h, &scn); ++ cdf_dump_summary_info(&h, &scn); + #endif +- if ((i = cdf_file_summary_info(ms, &scn)) == -1) +- expn = "Can't expand summary_info"; +- free(scn.sst_tab); ++ if ((i = cdf_file_summary_info(ms, &h, &scn)) < 0) ++ expn = "Can't expand summary_info"; ++ if (i == 0) { ++ const char *str = "vnd.ms-office"; ++ cdf_directory_t *d; ++ char name[__arraycount(d->d_name)]; ++ size_t j, k; ++ for (j = 0; j < dir.dir_len; j++) { ++ d = &dir.dir_tab[j]; ++ for (k = 0; k < sizeof(name); k++) ++ name[k] = (char)cdf_tole2(d->d_name[k]); ++ if (strstr(name, "WordDocument") != 0) { ++ str = "msword"; ++ break; ++ } ++ } ++ if (file_printf(ms, "application/%s", str) == -1) ++ return -1; ++ i = 1; ++ } ++ free(scn.sst_tab); + out4: +- free(sst.sst_tab); ++ free(sst.sst_tab); + out3: +- free(dir.dir_tab); ++ free(dir.dir_tab); + out2: +- free(ssat.sat_tab); ++ free(ssat.sat_tab); + out1: +- free(sat.sat_tab); ++ free(sat.sat_tab); + out0: +- if (i != 1) { +- if (file_printf(ms, "CDF V2 Document") == -1) +- return -1; +- if (*expn) +- if (file_printf(ms, ", corrupt: %s", expn) == -1) +- return -1; +- i = 1; +- } +- return i; ++ if (i != 1) { ++ if (i == -1) ++ if (file_printf(ms, "CDF V2 Document") ++ == -1) ++ return -1; ++ if (*expn) ++ if (file_printf(ms, ", %s%s", corrupt, expn) == -1) ++ return -1; ++ i = 1; ++ } ++ return i; + } +Index: contrib/file/softmagic.c +=================================================================== +--- contrib/file/softmagic.c (revision 267806) ++++ contrib/file/softmagic.c (working copy) +@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.135 2009/03 + + + private int match(struct magic_set *, struct magic *, uint32_t, +- const unsigned char *, size_t, int); ++ const unsigned char *, size_t, int, int); + private int mget(struct magic_set *, const unsigned char *, +- struct magic *, size_t, unsigned int); ++ struct magic *, size_t, unsigned int, int); + private int magiccheck(struct magic_set *, struct magic *); + private int32_t mprint(struct magic_set *, struct magic *); + private int32_t moffset(struct magic_set *, struct magic *); +@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, const struc + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -66,12 +67,13 @@ private void cvt_64(union VALUETYPE *, const struc + */ + /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ + protected int +-file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode) ++file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, ++ size_t level, int mode) + { + struct mlist *ml; + int rv; + for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next) +- if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0) ++ if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0) + return rv; + + return 0; +@@ -106,7 +108,7 @@ protected int + */ + private int + match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, +- const unsigned char *s, size_t nbytes, int mode) ++ const unsigned char *s, size_t nbytes, int mode, int recursion_level) + { + uint32_t magindex = 0; + unsigned int cont_level = 0; +@@ -135,7 +137,7 @@ match(struct magic_set *ms, struct magic *magic, u + ms->line = m->lineno; + + /* if main entry matches, print it... */ +- switch (mget(ms, s, m, nbytes, cont_level)) { ++ switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) { + case -1: + return -1; + case 0: +@@ -218,7 +220,7 @@ match(struct magic_set *ms, struct magic *magic, u + continue; + } + #endif +- switch (mget(ms, s, m, nbytes, cont_level)) { ++ switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) { + case -1: + return -1; + case 0: +@@ -1022,12 +1024,17 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, in + + private int + mget(struct magic_set *ms, const unsigned char *s, +- struct magic *m, size_t nbytes, unsigned int cont_level) ++ struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level) + { + uint32_t offset = ms->offset; + uint32_t count = m->str_range; + union VALUETYPE *p = &ms->ms_value; + ++ if (recursion_level >= 20) { ++ file_error(ms, 0, "recursion nesting exceeded"); ++ return -1; ++ } ++ + if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1) + return -1; + +@@ -1077,7 +1084,7 @@ mget(struct magic_set *ms, const unsigned char *s, + } + switch (m->in_type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1112,7 +1119,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_BESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1164,7 +1171,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1216,7 +1223,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_SHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1253,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, + break; + case FILE_BELONG: + case FILE_BEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1324,7 +1331,7 @@ mget(struct magic_set *ms, const unsigned char *s, + break; + case FILE_LELONG: + case FILE_LEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1394,7 +1401,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_MELONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1464,7 +1471,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_LONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1531,7 +1538,7 @@ mget(struct magic_set *ms, const unsigned char *s, + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) /* should alway be true */ ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + break; + +@@ -1538,7 +1545,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + break; + +@@ -1557,7 +1564,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + break; + +@@ -1564,7 +1571,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: +- if (nbytes < (offset + 8)) ++ if (OFFSET_OOB(nbytes, offset, 8)) + return 0; + break; + +@@ -1571,23 +1578,25 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_STRING: + case FILE_PSTRING: + case FILE_SEARCH: +- if (nbytes < (offset + m->vallen)) ++ if (OFFSET_OOB(nbytes, offset, m->vallen)) + return 0; + break; + + case FILE_REGEX: +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + break; + + case FILE_INDIRECT: ++ if (offset == 0) ++ return 0; + if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && + file_printf(ms, m->desc) == -1) + return -1; +- if (nbytes < offset) ++ if (OFFSET_OOB(nbytes, offset, 0)) + return 0; + return file_softmagic(ms, s + offset, nbytes - offset, +- BINTEST); ++ recursion_level, BINTEST); + + case FILE_DEFAULT: /* nothing to check */ + default: diff --git a/share/security/patches/SA-14:16/file-8.4.patch.asc b/share/security/patches/SA-14:16/file-8.4.patch.asc new file mode 100644 index 0000000000..1c1ce5730c --- /dev/null +++ b/share/security/patches/SA-14:16/file-8.4.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnwYEQAJ2tsC+x3C539+wx8HQVDyzn +YArD9qa9vccrISU0BBvBRDwnEEJ2jm/57EMpA9vc8drrWnz29gxYtIDeFWAkosM/ +CTR0M3ZSMaTSnHQWoM8VxlMPWDfQBzokJB5H3qNUCJZV/QdQo7kSHdMvzeqdiqbG +jkuVuifm5TgxEQVaznK9E0PoL/gVGfndUg9N5MJnO/XEO0wy4gqDE6SSn9zE4Rxc +uWa34gZwh33eJWi9tE6sNAbekZuwEtK7smw+wkcUvUdfdUqTsp8j05ZY/PMAG97z +SeYZ3rXk4sKXE4NSM8QxFxbfQNcFmKv7viQoPqTJDu63ctJdcyN6vv8hH9j73+mN +W3NQOdfnKQblqgqC6bkXUV4A3YAUirWfcBiHo02PBfhspwBI+CA7VJbNxPxdmGn9 +r9F9SP114afHz/2W62yDagXPc39TJ/T7e8sqEbw2Up5a1Rd7PzpQCDMYALspx4tS +FQqR61aTfpSDXdQYLPgyTPiBNrDcUA0WdAWpm2KAteUOUt5K7Z5N59IbxJU51VpL +dPdJsTkCN84HY6ynng4nrxaeH6ImPmv3wd34cxVIgrEzfDbteYr2qn6tNM+4AAhg +bbFbqbXPp3qyn3ryDskdkeEbNIBK0Dw41ATtvfsolVPI+xWVT996R16uvqwu2hhl +HaPZcO4HUyyDsdKzLNk+ +=Kg8r +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-14:16/file.patch b/share/security/patches/SA-14:16/file.patch new file mode 100644 index 0000000000..43d93418e4 --- /dev/null +++ b/share/security/patches/SA-14:16/file.patch @@ -0,0 +1,276 @@ +Index: contrib/file/Magdir/commands +=================================================================== +--- contrib/file/Magdir/commands (revision 267806) ++++ contrib/file/Magdir/commands (working copy) +@@ -49,7 +49,8 @@ + !:mime text/x-awk + 0 string/wt #!\ /usr/bin/awk awk script text executable + !:mime text/x-awk +-0 regex =^\\s*BEGIN\\s*[{] awk script text ++0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text ++!:strength - 12 + + # AT&T Bell Labs' Plan 9 shell + 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable +Index: contrib/file/ascmagic.c +=================================================================== +--- contrib/file/ascmagic.c (revision 267806) ++++ contrib/file/ascmagic.c (working copy) +@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, + == NULL) + goto done; + if ((rv = file_softmagic(ms, utf8_buf, +- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0) ++ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0) + rv = -1; + } + +Index: contrib/file/file.h +=================================================================== +--- contrib/file/file.h (revision 267806) ++++ contrib/file/file.h (working copy) +@@ -414,7 +414,7 @@ protected int file_encoding(struct magic_set *, co + unichar **, size_t *, const char **, const char **, const char **); + protected int file_is_tar(struct magic_set *, const unsigned char *, size_t); + protected int file_softmagic(struct magic_set *, const unsigned char *, size_t, +- int, int); ++ size_t, int, int); + protected struct mlist *file_apprentice(struct magic_set *, const char *, int); + protected uint64_t file_signextend(struct magic_set *, struct magic *, + uint64_t); +Index: contrib/file/funcs.c +=================================================================== +--- contrib/file/funcs.c (revision 267806) ++++ contrib/file/funcs.c (working copy) +@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const ch + + /* try soft magic tests */ + if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0) +- if ((m = file_softmagic(ms, ubuf, nb, BINTEST, ++ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST, + looks_text)) != 0) { + if ((ms->flags & MAGIC_DEBUG) != 0) + (void)fprintf(stderr, "softmagic %d\n", m); +Index: contrib/file/softmagic.c +=================================================================== +--- contrib/file/softmagic.c (revision 267806) ++++ contrib/file/softmagic.c (working copy) +@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11 + + + private int match(struct magic_set *, struct magic *, uint32_t, +- const unsigned char *, size_t, int, int); ++ const unsigned char *, size_t, int, int, int); + private int mget(struct magic_set *, const unsigned char *, +- struct magic *, size_t, unsigned int, int); ++ struct magic *, size_t, unsigned int, int, int); + private int magiccheck(struct magic_set *, struct magic *); + private int32_t mprint(struct magic_set *, struct magic *); + private int32_t moffset(struct magic_set *, struct magic *); +@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, const struc + private void cvt_32(union VALUETYPE *, const struct magic *); + private void cvt_64(union VALUETYPE *, const struct magic *); + ++#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -67,13 +68,13 @@ private void cvt_64(union VALUETYPE *, const struc + /*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */ + protected int + file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, +- int mode, int text) ++ size_t level, int mode, int text) + { + struct mlist *ml; + int rv; + for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next) + if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, +- text)) != 0) ++ text, level)) != 0) + return rv; + + return 0; +@@ -108,7 +109,8 @@ file_softmagic(struct magic_set *ms, const unsigne + */ + private int + match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, +- const unsigned char *s, size_t nbytes, int mode, int text) ++ const unsigned char *s, size_t nbytes, int mode, int text, ++ int recursion_level) + { + uint32_t magindex = 0; + unsigned int cont_level = 0; +@@ -140,7 +142,7 @@ match(struct magic_set *ms, struct magic *magic, u + ms->line = m->lineno; + + /* if main entry matches, print it... */ +- switch (mget(ms, s, m, nbytes, cont_level, text)) { ++ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) { + case -1: + return -1; + case 0: +@@ -223,7 +225,7 @@ match(struct magic_set *ms, struct magic *magic, u + continue; + } + #endif +- switch (mget(ms, s, m, nbytes, cont_level, text)) { ++ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) { + case -1: + return -1; + case 0: +@@ -1018,12 +1020,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, in + + private int + mget(struct magic_set *ms, const unsigned char *s, +- struct magic *m, size_t nbytes, unsigned int cont_level, int text) ++ struct magic *m, size_t nbytes, unsigned int cont_level, int text, ++ int recursion_level) + { + uint32_t offset = ms->offset; + uint32_t count = m->str_range; + union VALUETYPE *p = &ms->ms_value; + ++ if (recursion_level >= 20) { ++ file_error(ms, 0, "recursion nesting exceeded"); ++ return -1; ++ } ++ + if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1) + return -1; + +@@ -1073,7 +1081,7 @@ mget(struct magic_set *ms, const unsigned char *s, + } + switch (m->in_type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1108,7 +1116,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_BESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1160,7 +1168,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1212,7 +1220,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_SHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1249,7 +1257,7 @@ mget(struct magic_set *ms, const unsigned char *s, + break; + case FILE_BELONG: + case FILE_BEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1320,7 +1328,7 @@ mget(struct magic_set *ms, const unsigned char *s, + break; + case FILE_LELONG: + case FILE_LEID3: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1390,7 +1398,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_MELONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1460,7 +1468,7 @@ mget(struct magic_set *ms, const unsigned char *s, + offset = ~offset; + break; + case FILE_LONG: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + if (off) { + switch (m->in_op & FILE_OPS_MASK) { +@@ -1527,7 +1535,7 @@ mget(struct magic_set *ms, const unsigned char *s, + /* Verify we have enough data to match magic type */ + switch (m->type) { + case FILE_BYTE: +- if (nbytes < (offset + 1)) /* should alway be true */ ++ if (OFFSET_OOB(nbytes, offset, 1)) + return 0; + break; + +@@ -1534,7 +1542,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_SHORT: + case FILE_BESHORT: + case FILE_LESHORT: +- if (nbytes < (offset + 2)) ++ if (OFFSET_OOB(nbytes, offset, 2)) + return 0; + break; + +@@ -1553,7 +1561,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: +- if (nbytes < (offset + 4)) ++ if (OFFSET_OOB(nbytes, offset, 4)) + return 0; + break; + +@@ -1560,7 +1568,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: +- if (nbytes < (offset + 8)) ++ if (OFFSET_OOB(nbytes, offset, 8)) + return 0; + break; + +@@ -1567,7 +1575,7 @@ mget(struct magic_set *ms, const unsigned char *s, + case FILE_STRING: + case FILE_PSTRING: + case FILE_SEARCH: +- if (nbytes < (offset + m->vallen)) ++ if (OFFSET_OOB(nbytes, offset, m->vallen)) + return 0; + break; + +@@ -1577,6 +1585,8 @@ mget(struct magic_set *ms, const unsigned char *s, + break; + + case FILE_INDIRECT: ++ if (offset == 0) ++ return 0; + if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && + file_printf(ms, "%s", m->desc) == -1) + return -1; +@@ -1583,7 +1593,7 @@ mget(struct magic_set *ms, const unsigned char *s, + if (nbytes < offset) + return 0; + return file_softmagic(ms, s + offset, nbytes - offset, +- BINTEST, text); ++ recursion_level, BINTEST, text); + + case FILE_DEFAULT: /* nothing to check */ + default: diff --git a/share/security/patches/SA-14:16/file.patch.asc b/share/security/patches/SA-14:16/file.patch.asc new file mode 100644 index 0000000000..941e5dda8b --- /dev/null +++ b/share/security/patches/SA-14:16/file.patch.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnE0YP/A+Q3jwyWJW7f4UQCN1funJ0 +XZwDYYD/aVXUmQcegpDDDlJ9Ol3Rr2K6CXKJHN+2kH1NvjD2W82+trJiiAetTBwI +OqsgtyiJM8k3Pa67lRNoBPkYRaoZ7MgXurDzY8lclz0bb+n2OLQr4gvXQ8gEbZZE +ZETzFGlOhDw22gWOFzU7fMbg+WZr1yQBPEzEtJ5DR2WAS/eiAEzW9D8+HgBvR1T9 +X8jE6OEblJ3xBHkGByX9t9r+0klwOHdjx6Y54P+b1gFmgaIGLOPulNVE1d7oyRbt +Lhcrd1OUWuohz7nOfC+L29bYn0AiIVt/bZekKNyILiKuZbo01JmMLB+Ekn+R4Hv+ +fXjcc4qVVwTveJMPZ8HDNnpKusMXhqMAYDLblA4c6LnFdpwuKMMK9D9KCTNe0N17 +hGeJXHXAaeewdhsaXUA5VpLR1bZjQgLRIO3kKSrgIJVQWpPn+U5q0uuKl/JEo4O7 +hnble23XfiqfRnkaZ9Cs8Gw16g/XFhDKSu6ppVMCSTALwvmppVtQpw8tfq+W1EmW +9OlwLN5FAjYuMS2GbuZr4o53cFJD0a/3OdeMIZdTP9zstU/AMx1zauAHfUinDAKN +p7zriJB3gz0XQSSXwtlAHJpOapvMYob/axhToy+TcnxiHPa9oQEAbJWtfar0NQVR +t4TETAxIo1YT7cW7w87U +=nVM9 +-----END PGP SIGNATURE----- diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml index 2a51708459..0c10939c97 100644 --- a/share/xml/advisories.xml +++ b/share/xml/advisories.xml @@ -10,6 +10,18 @@ <month> <name>6</name> + <day> + <name>24</name> + + <advisory> + <name>FreeBSD-SA-14:16.file</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-14:15.iconv</name> + </advisory> + </day> + <day> <name>5</name> diff --git a/share/xml/notices.xml b/share/xml/notices.xml index e6f382655f..f5bf2594a5 100644 --- a/share/xml/notices.xml +++ b/share/xml/notices.xml @@ -10,6 +10,18 @@ <month> <name>6</name> + <day> + <name>24</name> + + <notice> + <name>FreeBSD-EN-14:08.heimdal</name> + </notice> + + <notice> + <name>FreeBSD-EN-14:07.pmap</name> + </notice> + </day> + <day> <name>3</name> @@ -26,7 +38,7 @@ <name>13</name> <notice> - <name>FreeBSD-EN-14:03.pkg</name> + <name>FreeBSD-EN-14:05.ciss</name> </notice> <notice> @@ -34,7 +46,7 @@ </notice> <notice> - <name>FreeBSD-EN-14:05.ciss</name> + <name>FreeBSD-EN-14:03.pkg</name> </notice> </day> </month>