Applied, thanks!
On Sat, Apr 25, 2015 at 08:26:35PM +0200, S??bastien Marie wrote:
> Hi,
>
> I would like to report a crash (coredump) with an invalid magic file
> (MALLOC_OPTIONS=S is need to expose the bug).
>
> --- ~/.magic ---
> 0 beshort 0xffd8 JPEG image data
> !:mime image/jpeg
> >6 string JFIF\
> --- end of file ---
>
> The problem is on the last line: the function magic_get_string, used for
> get the "JFIF\" string, miss the end-of-line due to '\' char, resulting
> processing outside the line variable.
>
> Problem found using afl-fuzz.
>
> The proposed diff ensure '\0' is correctly detected, and return an
> error ("can't parse string").
> --
> S??bastien Marie
>
>
> Index: magic-load.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/file/magic-load.c,v
> retrieving revision 1.2
> diff -u -p -r1.2 magic-load.c
> --- magic-load.c 24 Apr 2015 16:45:32 -0000 1.2
> +++ magic-load.c 25 Apr 2015 18:21:04 -0000
> @@ -479,6 +479,8 @@ magic_get_string(char **line, char *out,
> case '\"':
> *out++ = '\"';
> break;
> + case '\0':
> + return (-1);
> default:
> *out++ = c;
> break;
