[File] Security improvements

Sat May 9 16:23:07 EDT 2026

This patch addresses a few potential issues in file version 5.47 
is_simh.c    simh_parse advanced uc by attacker-controlled nbytes
             (24-bit) without checking the buffer had that many
             bytes left. Subsequent ue - uc with uc past ue is UB
             and can leave getlen reading from a wild pointer.
             Check before advancing.

readelf.c    donote computed ELF_ALIGN(offset + namesz) and
             ELF_ALIGN(doff + descsz) before the > size bounds
             checks. On 32-bit the addition wraps and produces a
             small doff that bypasses validation, leading to an
             attacker-controlled OOB read in subsequent
             memcpy(desc, &nbuf[doff], descsz). Compare in uint64_t
             so the wrap can't hide.

cdf.c        cdf_read's overflow guard relied only on a round-trip
             cast and accepted off=-1, len=1 (siz=0) as valid,
             which would then memcpy from info->i_buf[-1]. Reject
             negative off explicitly.

der.c        der_data passed a uint32_t len to "%.*s" precision
             where the va_arg type is int; a length above INT_MAX
             becomes a negative precision and lets %s read until
             a NUL. Clamp to INT_MAX.

der.c        getlength's "len = (len << 8) | byte" loop ran for up
             to 127 byte digits, undefined behaviour once the
             shift count reaches the width of size_t. Reject
             digits > sizeof(len).

compress.c   uncompresslrzip leaked the caller's output buffer and
             passed bytes_max to fmemopen instead of *n.

cdf.c        cdf_unpack_catalog read 2 bytes from the stream
             without checking 2 bytes were available.

cdf_time.c   cdf_timestamp_to_timespec accepted attacker timestamps
             that drove cdf_getdays into a 50000-iteration loop.
             Reject implausible years.

softmagic.c  OFFSET_OOB cast a signed offset through uint32_t and
             could fail open. Replaced with a signed-aware helper.
             msetoffset's no-fd OFFNEGATIVE branch lacked the
             bound check the fd branch already had.

apprentice.c Magic-source parser accepted unbounded ">"
             continuations. Cap at 10000.

file.c       setparam used atoi, accepting "-1" which wraps to
             SIZE_MAX. Use strtoll, reject negative/overflow.

magic.c      magic_setparam and magic_getparam dereferenced val
             without a NULL check.

print.c      Debug-mode file_showstr could read past value.s for
             PSTRING entries with vallen > sizeof(value.s).

file.c       Error messages reached stderr unfiltered. Crafted
             filenames in "cannot open" warnings, magic_error()
             output for parser-level errors (broken symlink targets,
             ELF Go BuildIDs, ELF NetBSD notes, CDF Thumbs.db
             catalog names that surfaced via error paths) could emit
             raw escape sequences to a terminal. New file_safe_fputs()
             filters magic_error() output and the formatted text in
             file_warn/file_err/file_warnx/file_errx (via shared
             file_emit_msg). Detection strings were already filtered
             by libmagic's file_getbuffer() (and are intentionally
             raw under -r), so they are not double-filtered. The
             filter drops C0 except HT/LF, ESC, DEL, raw C1
             (0x80-0x9F), UTF-8 C1 (0xC2 0x80..0xC2 0x9F), bare CR
             (only safe in a CRLF pair), and malformed UTF-8.
             Validates UTF-8 lead bytes so legitimate 2/3/4-byte
             sequences (NBSP, accented Latin, Cyrillic, Arabic,
             CJK, emoji) pass through unchanged.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.47-fixes.patch
Type: text/x-patch
Size: 10532 bytes
Desc: not available
URL: <http://mailman.astron.com/pipermail/file/attachments/20260509/6c4c3a26/attachment.bin>