+++ This bug was initially created as a clone of Bug #233161 +++ Description of problem: The ChangeLog states this: 2007-02-08 17:30 Christos Zoulas <christos> * fix integer underflow in file_printf which can lead to to exploitable heap overflow (Jean-Sebastien Guay-Lero) Christos clarifies further: The crux of the problem is here: - if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) { - file_oomem(ms, len + 1024); + size = (ms->o.size - ms->o.left) + len + 1024; + if ((buf = realloc(ms->o.buf, size)) == NULL) { Instead of allocating len + 1024 bytes on top of the previous size, before the fix we allocated just len + 1024 bytes. So if the buffer was let's say 4K, and we printed a string of len < 3K in this pass, then we effectively decreased the size of the string instead of growing it because of the realloc(). christos Version-Release number of selected component (if applicable): file-3.* is not affected. RHEL-3, RHEL-4, RHEL-5, FC-5, FC-6 How reproducible: No reproducer available.
The upstream patch can be found here: http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/dist/file/src/funcs.c.diff?r1=1.1.1.10&r2=1.1.1.11&f=h
This issue should be fixed in file-4.19-2.fc6.