989d921f5d
I'm very pleased to announce the release of our new website and documentation using the new toolchain with Hugo and AsciiDoctor. To get more information about the new toolchain please read the FreeBSD Documentation Project Primer[1], Hugo docs[2] and AsciiDoctor docs[3]. Acknowledgment: Benedict Reuschling <bcr@> Glen Barber <gjb@> Hiroki Sato <hrs@> Li-Wen Hsu <lwhsu@> Sean Chittenden <seanc@> The FreeBSD Foundation [1] https://docs.FreeBSD.org/en/books/fdp-primer/ [2] https://gohugo.io/documentation/ [3] https://docs.asciidoctor.org/home/ Approved by: doceng, core
146 lines
4 KiB
Diff
146 lines
4 KiB
Diff
Index: contrib/file/elfclass.h
|
|
===================================================================
|
|
--- contrib/file/elfclass.h.orig
|
|
+++ contrib/file/elfclass.h
|
|
@@ -35,9 +35,11 @@
|
|
switch (type) {
|
|
#ifdef ELFCORE
|
|
case ET_CORE:
|
|
+ phnum = elf_getu16(swap, elfhdr.e_phnum);
|
|
+ if (phnum > MAX_PHNUM)
|
|
+ return toomany(ms, "program", phnum);
|
|
if (dophn_core(ms, clazz, swap, fd,
|
|
- (off_t)elf_getu(swap, elfhdr.e_phoff),
|
|
- elf_getu16(swap, elfhdr.e_phnum),
|
|
+ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
|
|
(size_t)elf_getu16(swap, elfhdr.e_phentsize),
|
|
fsize, &flags) == -1)
|
|
return -1;
|
|
@@ -45,18 +47,24 @@
|
|
#endif
|
|
case ET_EXEC:
|
|
case ET_DYN:
|
|
+ phnum = elf_getu16(swap, elfhdr.e_phnum);
|
|
+ if (phnum > MAX_PHNUM)
|
|
+ return toomany(ms, "program", phnum);
|
|
+ shnum = elf_getu16(swap, elfhdr.e_shnum);
|
|
+ if (shnum > MAX_SHNUM)
|
|
+ return toomany(ms, "section", shnum);
|
|
if (dophn_exec(ms, clazz, swap, fd,
|
|
- (off_t)elf_getu(swap, elfhdr.e_phoff),
|
|
- elf_getu16(swap, elfhdr.e_phnum),
|
|
+ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
|
|
(size_t)elf_getu16(swap, elfhdr.e_phentsize),
|
|
- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
|
|
- == -1)
|
|
+ fsize, &flags, shnum) == -1)
|
|
return -1;
|
|
/*FALLTHROUGH*/
|
|
case ET_REL:
|
|
+ shnum = elf_getu16(swap, elfhdr.e_shnum);
|
|
+ if (shnum > MAX_SHNUM)
|
|
+ return toomany(ms, "section", shnum);
|
|
if (doshn(ms, clazz, swap, fd,
|
|
- (off_t)elf_getu(swap, elfhdr.e_shoff),
|
|
- elf_getu16(swap, elfhdr.e_shnum),
|
|
+ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
|
|
(size_t)elf_getu16(swap, elfhdr.e_shentsize),
|
|
&flags,
|
|
elf_getu16(swap, elfhdr.e_machine)) == -1)
|
|
Index: contrib/file/readelf.c
|
|
===================================================================
|
|
--- contrib/file/readelf.c.orig
|
|
+++ contrib/file/readelf.c
|
|
@@ -60,6 +60,18 @@
|
|
private uint32_t getu32(int, uint32_t);
|
|
private uint64_t getu64(int, uint64_t);
|
|
|
|
+#define MAX_PHNUM 256
|
|
+#define MAX_SHNUM 1024
|
|
+
|
|
+private int
|
|
+toomany(struct magic_set *ms, const char *name, uint16_t num)
|
|
+{
|
|
+ if (file_printf(ms, ", too many %s header sections (%u)", name, num
|
|
+ ) == -1)
|
|
+ return -1;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
private uint16_t
|
|
getu16(int swap, uint16_t value)
|
|
{
|
|
@@ -391,13 +403,13 @@
|
|
if (namesz & 0x80000000) {
|
|
(void)file_printf(ms, ", bad note name size 0x%lx",
|
|
(unsigned long)namesz);
|
|
- return offset;
|
|
+ return 0;
|
|
}
|
|
|
|
if (descsz & 0x80000000) {
|
|
(void)file_printf(ms, ", bad note description size 0x%lx",
|
|
(unsigned long)descsz);
|
|
- return offset;
|
|
+ return 0;
|
|
}
|
|
|
|
|
|
@@ -821,6 +833,7 @@
|
|
Elf32_Shdr sh32;
|
|
Elf64_Shdr sh64;
|
|
int stripped = 1;
|
|
+ size_t nbadcap = 0;
|
|
void *nbuf;
|
|
off_t noff;
|
|
uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */
|
|
@@ -893,6 +906,8 @@
|
|
case SHT_SUNW_cap:
|
|
{
|
|
off_t coff;
|
|
+ if (nbadcap > 5)
|
|
+ break;
|
|
if ((off = lseek(fd, (off_t)0, SEEK_CUR)) ==
|
|
(off_t)-1) {
|
|
file_badread(ms);
|
|
@@ -933,6 +948,8 @@
|
|
(unsigned long long)xcap_tag,
|
|
(unsigned long long)xcap_val) == -1)
|
|
return -1;
|
|
+ if (nbadcap++ > 2)
|
|
+ coff = xsh_size;
|
|
break;
|
|
}
|
|
}
|
|
@@ -1139,7 +1156,7 @@
|
|
int flags = 0;
|
|
Elf32_Ehdr elf32hdr;
|
|
Elf64_Ehdr elf64hdr;
|
|
- uint16_t type;
|
|
+ uint16_t type, phnum, shnum;
|
|
|
|
if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
|
|
return 0;
|
|
Index: contrib/file/softmagic.c
|
|
===================================================================
|
|
--- contrib/file/softmagic.c.orig
|
|
+++ contrib/file/softmagic.c
|
|
@@ -61,6 +61,9 @@
|
|
private void cvt_64(union VALUETYPE *, const struct magic *);
|
|
|
|
#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
|
|
+
|
|
+#define MAX_RECURSION_LEVEL 10
|
|
+
|
|
/*
|
|
* softmagic - lookup one file in parsed, in-memory copy of database
|
|
* Passed the name and FILE * of one file to be typed.
|
|
@@ -1030,7 +1033,7 @@
|
|
uint32_t count = m->str_range;
|
|
union VALUETYPE *p = &ms->ms_value;
|
|
|
|
- if (recursion_level >= 20) {
|
|
+ if (recursion_level >= MAX_RECURSION_LEVEL) {
|
|
file_error(ms, 0, "recursion nesting exceeded");
|
|
return -1;
|
|
}
|