[File] [SECURITY] Integer Overflow in coalesce_entries() Leading to Heap Overflow (file-5.17)
Christos Zoulas
christos at zoulas.com
Fri Apr 17 10:59:26 EDT 2026
Added, but limited the size even more.
Thanks,
christos
> On Apr 1, 2026, at 11:14 AM, Kerwin <kerwinxia66001 at gmail.com> wrote:
>
> Hi maintainers,
>
> I am reporting an integer overflow vulnerability in libmagic (file-5.17) where `coalesce_entries()` in apprentice.c accumulates continuation counts into a `uint32_t` without overflow checking, allowing a crafted magic database to wrap the counter and trigger an undersized `malloc()` followed by a heap buffer overflow in the `memcpy` loop.
>
> Please find the detailed vulnerability report and proof-of-concept files attached.
>
> Best regards
> <POC.tar>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.astron.com/pipermail/file/attachments/20260417/8e6cff3e/attachment-0001.asc>
More information about the File
mailing list