[File] [SECURITY] Out-of-Bounds Read in cdf_read_short_sector() via Off-by-One (file-5.17)
Christos Zoulas
christos at zoulas.com
Fri Apr 17 10:02:32 EDT 2026
Hi Kerwin,
The current version of file is 5.46 and the bug you found was fixed in 2014:
1.56 (christos 05-May-14): if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
Best,
christos
> On Apr 1, 2026, at 11:21 AM, Kerwin <kerwinxia66001 at gmail.com> wrote:
>
> Hi maintainers,
>
> I am reporting an off-by-one out-of-bounds read vulnerability in libmagic (file-5.17) where `cdf_read_short_sector()` (cdf.c:355) uses `>` instead of `>=` in its bounds check, allowing a short sector position exactly at the buffer limit to pass validation, causing `memcpy` to read 64 bytes completely past the end of the buffer.
>
> Please find the detailed vulnerability report and proof-of-concept files attached.
>
> Best regards
>
> <POC.tar>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.astron.com/pipermail/file/attachments/20260417/f9a66b2f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.astron.com/pipermail/file/attachments/20260417/f9a66b2f/attachment.asc>
More information about the File
mailing list