segfault in magic_buffer

Christos Zoulas christos at zoulas.com
Thu Feb 13 01:14:15 EET 2014


On Feb 12, 11:39pm, gw.file.bgzt at manchmal.in-ulm.de (Christoph Biedl) wrote:
-- Subject: Re: segfault in magic_buffer

| Christos Zoulas wrote...
| 
| > Infinite recursion...
| 
| Jepp.
| 
| > --- softmagic.c	8 Jan 2014 22:22:54 -0000	1.172
| > +++ softmagic.c	11 Feb 2014 15:41:13 -0000
| > @@ -1738,6 +1738,8 @@
| >  		break;
| >  
| >  	case FILE_INDIRECT:
| > +		if (offset == 0)
| > +			return 0;
| 
| Sorry, but that's not sufficient: A file consisting of a lot of \x01
| values still fills the stack if some specially crafted magic is in
| use, some 24000 octets are needed here. Seems the only feasible
| solution was to count the recursions and stop at a certain depth. I
| cannot imagine why anyone would want to go deeper than two or three
| levels, but even a limit of 50 or 100 wouldn't do harm.
| 
| Reproducer:
| 
| $ perl -e 'print "\x01" x 25000' >../sample.still-bad
| $ cat ../magic
| 0           byte        x
| >(1.b)      indirect    x
| $ LD_LIBRARY_PATH=src/.libs/ ./src/.libs/file -m ../magic ../sample.still-bad 
| Segmentation fault

Sounds reasonable and easy to do....

christos


More information about the File mailing list