Hi,
I would like to report a crash (coredump) with an invalid magic file
(MALLOC_OPTIONS=S is need to expose the bug).
--- ~/.magic ---
0 beshort 0xffd8 JPEG image data
!:mime image/jpeg
>6 string JFIF\
--- end of file ---
The problem is on the last line: the function magic_get_string, used for
get the "JFIF\" string, miss the end-of-line due to '\' char, resulting
processing outside the line variable.
Problem found using afl-fuzz.
The proposed diff ensure '\0' is correctly detected, and return an
error ("can't parse string").
--
Sébastien Marie
Index: magic-load.c
===================================================================
RCS file: /cvs/src/usr.bin/file/magic-load.c,v
retrieving revision 1.2
diff -u -p -r1.2 magic-load.c
--- magic-load.c 24 Apr 2015 16:45:32 -0000 1.2
+++ magic-load.c 25 Apr 2015 18:21:04 -0000
@@ -479,6 +479,8 @@ magic_get_string(char **line, char *out,
case '\"':
*out++ = '\"';
break;
+ case '\0':
+ return (-1);
default:
*out++ = c;
break;
