Fix off-by-one detecting \r\n (Jonas Wagner)

The bug was found using FUSS, the Fuzzer on a Shoestring. This is a
research project done at the Dependable Systems Lab, EPFL, Switzerland.

diff --git a/src/softmagic.c b/src/softmagic.c
index 8816aab384fd9ad8d401e8d2f740dba4b81e06f4..6c35438339907be618a3a290f9678697161533c2 100644 (file)
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -32,7 +32,7 @@
 #include "file.h"
 
 #ifndef        lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.235 2016/06/14 00:22:36 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.236 2016/07/20 11:27:08 christos Exp $")
 #endif /* lint */
 
 #include "magic.h"
@@ -1227,7 +1227,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
                                 memchr(c, '\r', CAST(size_t, (end - c))))));
                             lines--, b++) {
                                last = b;
-                               if (b[0] == '\r' && b[1] == '\n')
+                               if (b < end - 1 && b[0] == '\r' && b[1] == '\n')
                                        b++;
                        }
                        if (lines)