[File] [SECURITY] Integer Overflow in ascmagic.c UTF-8 Buffer Allocation (file-5.17, 32-bit)
Kerwin
kerwinxia66001 at gmail.com
Wed Apr 1 15:19:12 UTC 2026
Hi maintainers,
I am reporting an integer overflow vulnerability in libmagic (file-5.17)
where the calculation `mlen = ulen * 6` in `file_ascmagic_with_encoding()`
(ascmagic.c:141-142) overflows on 32-bit platforms, causing an undersized
`malloc`. The heap corruption is mitigated by bounds checking in
`encode_utf8()`, but the overflow results in a logic error / denial of
service.
Please find the detailed vulnerability report and proof-of-concept files
attached.
Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.astron.com/pipermail/file/attachments/20260401/0c550bc5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: POC.tar
Type: application/x-tar
Size: 20480 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20260401/0c550bc5/attachment-0001.tar>
More information about the File
mailing list