Bug 132929 - Off-by-one array access
Off-by-one array access
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: file (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-19 18:24 EDT by Mark Schreiber
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-20 04:45:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Prevents beyond-end-of-array access from occurring (509 bytes, patch)
2004-09-19 18:26 EDT, Mark Schreiber
no flags Details | Diff

  None (edit)
Description Mark Schreiber 2004-09-19 18:24:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040808 Firefox/0.9.3

Description of problem:
Valgrind (and manual code inspection) indicates that file accesses an
element of magic[] one beyond that array's size on line 137 of
softmagic.c.


Version-Release number of selected component (if applicable):
4.07-4

How reproducible:
Always

Steps to Reproduce:
1. echo "foobar" > foo
2. valgrind --tool=memcheck file foo
3. observe invalid memory access warning
    

Actual Results:  ==15592== Invalid read of size 2
==15592==    at 0x1B9321A5: (within /usr/lib/libmagic.so.1.0)
==15592==    by 0x1B932072: file_softmagic (in /usr/lib/libmagic.so.1.0)
==15592==    by 0x1B937981: file_buffer (in /usr/lib/libmagic.so.1.0)
==15592==    by 0x1B93032C: magic_file (in /usr/lib/libmagic.so.1.0)
==15592==  Address 0x1BDC9F00 is not stack'd, malloc'd or (recently)
free'd
foo: ASCII text


Expected Results:  foo: ASCII text

Additional info:
Comment 1 Mark Schreiber 2004-09-19 18:26:46 EDT
Created attachment 104002 [details]
Prevents beyond-end-of-array access from occurring
Comment 2 Radek Vokal 2004-09-20 04:45:35 EDT
Bug is already fixed in file-4.10-1

Note You need to log in before you can comment on or make changes to this bug.