[File] [SECURITY] Out-of-Bounds Read from Small .mgc File in apprentice.c (file-5.17)
Christos Zoulas
christos at zoulas.com
Fri Apr 17 10:34:09 EDT 2026
It was fixed in 2014 differently with he addition of check_buffer()
1.56 (christos 05-May-14): if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
christos
> On Apr 1, 2026, at 11:20 AM, Kerwin <kerwinxia66001 at gmail.com> wrote:
>
> Hi maintainers,
>
> I am reporting an out-of-bounds read vulnerability in libmagic (file-5.17) where the minimum `.mgc` file size check in `apprentice_map()` (apprentice.c:2670) only requires 8 bytes, but the code subsequently reads `ptr[2]` and `ptr[3]` at offsets 8-15, causing an OOB read or SIGSEGV with any 8-15 byte `.mgc` file carrying a valid header.
>
> Please find the detailed vulnerability report and proof-of-concept files attached.
>
> Best regards
>
> <POC.tar>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.astron.com/pipermail/file/attachments/20260417/e67b8e3d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.astron.com/pipermail/file/attachments/20260417/e67b8e3d/attachment.asc>
More information about the File
mailing list