Package: libmagic1
Version: 4.17-4
Severity: critical
My library/program using libmagic crashes when using a custom magic
file with any combination of magic_{check,compile,load}. A simple
test program can reproduce this behaviour. The error handling for
magic_open is omitted but this doesn't change the result. The malloc/
random/free stuff is neccessary to get some garbage into memory.
That's why file(1) doesn't crash I think. Compile it with:
$ gcc -o testmagic testmagic.c -lmagic
---------------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <magic.h>
int main(int argc, char *argv[])
{
magic_t magic;
char *buffer;
int i;
buffer = malloc(4096);
for(i = 0; i < 4096; i ++)
buffer[i] = random() & 0xFF;
free(buffer);
if(argc < 2)
{
fprintf(stderr, "usage: %s <magicfile>\n", argv[0]);
}
magic = magic_open(MAGIC_CHECK | MAGIC_SYMLINK);
if(magic_compile(magic, argv[1]) != 0)
{
fprintf(stderr, "%s: failed to compile %s: %s (%d)\n",
argv[0], argv[1],
magic_error(magic),
magic_errno(magic));
magic_close(magic);
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}
---------------------------------------------------------------------
Backtrace:
(gdb) run /opt/mad/lib/libg3d/libg3d.magic
Starting program: .../testmagic /opt/mad/lib/libg3d/libg3d.magic
Program received signal SIGSEGV, Segmentation fault.
0xb7e4f77d in memset () from /lib/tls/libc.so.6
(gdb) bt
#0 0xb7e4f77d in memset () from /lib/tls/libc.so.6
#1 0xb7f17d76 in file_showstr () from /usr/lib/libmagic.so.1
#2 0xb7f1989a in file_apprentice () from /usr/lib/libmagic.so.1
#3 0xb7f17302 in magic_compile () from /usr/lib/libmagic.so.1
#4 0x080486f1 in main ()
---------------------------------------------------------------------
strace:
...
open("/opt/mad/lib/libg3d/libg3d.magic", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1662, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7f47000
read(3, "# $Id$\n\n# 3D Studio\n0 "..., 4096) = 1662
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
---------------------------------------------------------------------
The bug may be related to
https://launchpad.net/distros/ubuntu/+source/file/+bug/38015
as I get a similar backtrace for magic_check()
I did not really look at the source code yet, but it looks like an un-
initialized or not allocated buffer/variable.
My System: Debian Etch (up-to-date) on AMD K7 as well as Intel PIII.
Markus
--
A CRAY is the only computer that runs an endless loop in just 4 hours...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
