[File] [SECURITY] Out-of-Bounds Read in cdf_read_short_sector() via Off-by-One (file-5.17)
Kerwin
kerwinxia66001 at gmail.com
Wed Apr 1 15:21:55 UTC 2026
Hi maintainers,
I am reporting an off-by-one out-of-bounds read vulnerability in libmagic
(file-5.17) where `cdf_read_short_sector()` (cdf.c:355) uses `>` instead of
`>=` in its bounds check, allowing a short sector position exactly at the
buffer limit to pass validation, causing `memcpy` to read 64 bytes
completely past the end of the buffer.
Please find the detailed vulnerability report and proof-of-concept files
attached.
Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.astron.com/pipermail/file/attachments/20260401/c43b2939/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: POC.tar
Type: application/x-tar
Size: 30208 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20260401/c43b2939/attachment-0001.tar>
More information about the File
mailing list