From 759ad2f36c91589665b4a67f1d00cfc58e6e5087 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 19 Jun 2007 14:21:01 +0300
Subject: [PATCH] Fix CVE-2007-2799 integer overflow in internal libmagic.
 Patch from RHEL4.

---
 file/src/funcs.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/file/src/funcs.c b/file/src/funcs.c
index ebece87..fb20bdc 100644
--- a/file/src/funcs.c
+++ b/file/src/funcs.c
@@ -26,12 +26,22 @@
  */
 #include "file.h"
 #include "magic.h"
-#include <assert.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
 
+#if defined(HAVE_LIMITS_H)
+#include <limits.h>
+#endif
+#ifndef SIZE_T_MAX
+#ifdef __LP64__
+#define SIZE_T_MAX (size_t)0xfffffffffffffffffU
+#else
+#define SIZE_T_MAX (size_t)0xffffffffU
+#endif
+#endif
+
 #ifndef	lint
 FILE_RCSID("@(#)$Id: funcs.c,v 1.14 2005/01/07 19:17:27 christos Exp $")
 #endif	/* lint */
@@ -165,9 +175,12 @@ file_getbuffer(struct magic_set *ms)
 		return ms->o.buf;
 
  	len = ms->o.size - ms->o.left;
- 	/* * 4 is for octal representation, + 1 is for NUL */
- 	psize = len * 4 + 1;
- 	assert(psize > len);
+	/* * 4 is for octal representation, + 1 is for NUL */
+	if (len > (SIZE_T_MAX - 1) / 4) {
+		file_oomem(ms);
+		return NULL;
+	}
+	psize = len * 4 + 1;
  	if (ms->o.psize < psize) {
  		if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
  			file_oomem(ms);
-- 
2.7.4