5 files changed, 33 insertions, 20 deletions

diff --git a/UPDATING b/UPDATING
index 5e8e111c31740..4aaa3c5e670c7 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,7 +8,10 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
-20070426:	p4	FreeBSD-SA-07:04.ipv6
+20070523:	p5	FreeBSD-SA-07:04.file
+	Fix buffer overflow in libmagic(3).
+
+20070426:	p4	FreeBSD-SA-07:03.ipv6
 	Disable processing of IPv6 type 0 Routing Headers.  This behaviour
 	can be changed via the (newly added) net.inet6.ip6.rthdr0_allowed
 	sysctl.
diff --git a/contrib/file/file.h b/contrib/file/file.h
index f29bba01afc42..6c1c576bcc031 100644
--- a/contrib/file/file.h
+++ b/contrib/file/file.h
@@ -226,7 +226,7 @@ struct magic_set {
 	/* Accumulation buffer */
 	char *buf;
 	char *ptr;
-	size_t len;
+	size_t left;
 	size_t size;
 	/* Printable buffer */
 	char *pbuf;
diff --git a/contrib/file/funcs.c b/contrib/file/funcs.c
index bd77f13cabc25..24c5b9d418ced 100644
--- a/contrib/file/funcs.c
+++ b/contrib/file/funcs.c
@@ -26,6 +26,7 @@
  */
 #include "file.h"
 #include "magic.h"
+#include <limits.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
@@ -41,27 +42,31 @@ protected int
 file_printf(struct magic_set *ms, const char *fmt, ...)
 {
 	va_list ap;
-	size_t len;
+	size_t len, size;
 	char *buf;
 
 	va_start(ap, fmt);
 
-	if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) {
+	if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) {
+		long diff;  /* XXX: really ptrdiff_t */
+
 		va_end(ap);
-		if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
+		size = (ms->o.size - ms->o.left) + len + 1024;
+		if ((buf = realloc(ms->o.buf, size)) == NULL) {
 			file_oomem(ms);
 			return -1;
 		}
-		ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+		diff = ms->o.ptr - ms->o.buf;
+		ms->o.ptr = buf + diff;
 		ms->o.buf = buf;
-		ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
-		ms->o.size = len + 1024;
+		ms->o.left = size - diff;
+		ms->o.size = size;
 
 		va_start(ap, fmt);
-		len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+		len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap);
 	}
 	ms->o.ptr += len;
-	ms->o.len -= len;
+	ms->o.left -= len;
 	va_end(ap);
 	return 0;
 }
@@ -150,8 +155,8 @@ file_reset(struct magic_set *ms)
 protected const char *
 file_getbuffer(struct magic_set *ms)
 {
-	char *nbuf, *op, *np;
-	size_t nsize;
+	char *pbuf, *op, *np;
+	size_t psize, len;
 
 	if (ms->haderr)
 		return NULL;
@@ -159,14 +164,20 @@ file_getbuffer(struct magic_set *ms)
 	if (ms->flags & MAGIC_RAW)
 		return ms->o.buf;
 
-	nsize = ms->o.len * 4 + 1;
-	if (ms->o.psize < nsize) {
-		if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) {
+	len = ms->o.size - ms->o.left;
+	if (len > (SIZE_T_MAX - 1) / 4) {
+		file_oomem(ms);
+		return NULL;
+	}
+	/* * 4 is for octal representation, + 1 is for NUL */
+	psize = len * 4 + 1;
+	if (ms->o.psize < psize) {
+		if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
 			file_oomem(ms);
 			return NULL;
 		}
-		ms->o.psize = nsize;
-		ms->o.pbuf = nbuf;
+		ms->o.psize = psize;
+		ms->o.pbuf = pbuf;
 	}
 
 	for (np = ms->o.pbuf, op = ms->o.buf; *op; op++) {
diff --git a/contrib/file/magic.c b/contrib/file/magic.c
index 4516ba85cf21e..f8d6358ed57ca 100644
--- a/contrib/file/magic.c
+++ b/contrib/file/magic.c
@@ -89,7 +89,7 @@ magic_open(int flags)
 		goto free1;
 	}
 
-	ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024);
+	ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024);
 	if (ms->o.buf == NULL)
 		goto free1;
 
@@ -101,7 +101,6 @@ magic_open(int flags)
 	if (ms->c.off == NULL)
 		goto free3;
 	
-	ms->o.len = 0;
 	ms->haderr = 0;
 	ms->error = -1;
 	ms->mlist = NULL;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index d2b9123c16577..a58d61b89a492 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="6.2"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi