View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000636fileGeneralpublic2025-03-26 10:482025-03-26 10:48
Reporterpvz122 Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
Status newResolutionopen 
PlatformLinuxOSUbuntuOS Version24.04
Product Version5.46 
Summary0000636: FPE (Floating Point Exception) crash when executing `file` with a custom magicfile
DescriptionHi, I encountered an FPE crash in the latest version of the code repository when running `file` with `-m` option, like:

```bash
file -m poc.input poc.input
```

The command specifies a custom magicfile and takes the same file as its processing input. By enabling the AddressSanitizer, I got the crash report below:

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==852954==ERROR: AddressSanitizer: FPE on unknown address 0x5a624d1e0508 (pc 0x5a624d1e0508 bp 0x7fff0b219ee0 sp 0x7fff0b219bb0 T0)
    #0 0x5a624d1e0508 in cvt_32 /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1108:2
    0000001 0x5a624d1dae79 in mconvert /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1180:7
    0000002 0x5a624d1cfac5 in mget /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1990:7
    0000003 0x5a624d1c3b25 in match /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:258:11
    0000004 0x5a624d1c277d in file_softmagic /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:136:13
    0000005 0x5a624d1b5a7c in file_buffer /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/funcs.c:460:7
    0000006 0x5a624d17b189 in file_or_fd /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/magic.c:533:6
    0000007 0x5a624d17b46a in magic_file /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/magic.c:417:9
    0000008 0x5a624d1785db in process /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/file.c:649:9
    #9 0x5a624d17653a in main /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/file.c:441:8
    0000010 0x79a16062a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    0000011 0x79a16062a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    0000012 0x5a624d09b6d4 in _start (/home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/bin_asan/bin/file+0x5f6d4) (BuildId: 9d2bed194842bd6929bbc564051f0ceb26123118)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/pvz122/proj/llm/abl-afgenllm/database/libmagic/latest/build_asan/src/../../code/src/softmagic.c:1108:2 in cvt_32
==852954==ABORTING
```

The crash happens at the `DO_CVT` macro within `cvt_32` function in `softmagic.c`. The `DO_CVT` macro is expanded as:

```c
// ...
    case 6:
      if (static_cast<uint32_t>(m->_u._mask) == 0)
        return -1;
      p->l /= static_cast<uint32_t>(m->_u._mask);
      break;
// ...
```

The `/=` operation is excatly the crash site, where `m->_u._mask` has a value of `0xFFFFFFFFFFFFFFFF`, causing a division error.

This crash appears to be a bug of the `file` tool. I'll appreciate your further investigation and reply.
Steps To ReproduceAfter downloading the attached `poc.input` file, run `file` with the command:

```bash
file -m poc.input poc.input
```

The process will immediately be killed as:

```
'file' terminated by signal SIGFPE (Floating point exception)
```

This crash can also be triggered by invoking `libmagic` directly. The PoC program is:

```c
#include "magic.h"
#include <stdio.h>

int main(){
    magic_t magic_cookie = magic_open(MAGIC_NONE);
    if (!magic_cookie) {
        return 1;
    }
    if (magic_check(magic_cookie, "./poc.input") != 0) {
        return 1;
    }
    printf("%s\n", magic_file(magic_cookie, "./poc.input"));
    magic_close(magic_cookie);
    return 0;
}
```

It can be compiled using command:

```bash
clang poc.c -o poc -fsanitize=address -g -I path/to/libmagic/header path/to/libmagic.a -llzma -lzstd -lz
```
Tagslibmagic

Activities

pvz122

2025-03-26 10:48

reporter  

poc.input (110 bytes)

Issue History

Date Modified Username Field Change
2025-03-26 10:48 pvz122 New Issue
2025-03-26 10:48 pvz122 Tag Attached: libmagic
2025-03-26 10:48 pvz122 File Added: poc.input