Fix possible heap overflow in file(1), aka CVE-2007-1536.

When writing data into a buffer in the file_printf() function, the
length of the unused portion of the buffer is not correctly tracked,
resulting in a buffer overflow when processing certain files.

Adapted from FreeBSD's SA-07:04.file fix, with ok and some minor
tweaks from canacar@ and ray@.

1 files changed, 3 insertions, 3 deletions

diff --git a/usr.bin/file/file.h b/usr.bin/file/file.h
index a02927f4207..d5db648de38 100644
--- a/usr.bin/file/file.h
+++ b/usr.bin/file/file.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: file.h,v 1.16 2004/05/19 02:32:35 tedu Exp $ */
+/*	$OpenBSD: file.h,v 1.17 2007/07/09 16:39:48 dim Exp $ */
 /*
  * Copyright (c) Ian F. Darwin 1986-1995.
  * Software written by Ian F. Darwin and others;
@@ -28,7 +28,7 @@
  */
 /*
  * file.h - definitions for file(1) program
- * @(#)$Id: file.h,v 1.16 2004/05/19 02:32:35 tedu Exp $
+ * @(#)$Id: file.h,v 1.17 2007/07/09 16:39:48 dim Exp $
  */
 
 #ifndef __file_h__
@@ -177,7 +177,7 @@ struct magic_set {
 	/* Accumulation buffer */
 	char *buf;
 	char *ptr;
-	size_t len;
+	size_t left;
 	size_t size;
 	/* Printable buffer */
 	char *pbuf;