Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec

author Remi Collet <remi@php.net>

Tue, 10 Jun 2014 12:33:37 +0000 (14:33 +0200)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:21:01 +0000 (16:21 -0700)
author Remi Collet <remi@php.net>
Tue, 10 Jun 2014 12:33:37 +0000 (14:33 +0200)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:21:01 +0000 (16:21 -0700)
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c

index 3b6f4881d971d181b823cdceedc943c3abd41e80..958cf8276c976b9bebd4e233e2d039b49bf01b8d 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
         if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
                 goto out;
         for (i = 0; i < sh.sh_properties; i++) {
-               size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
+               size_t ofs, tail = (i << 1) + 1;
+               if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
+                   __LINE__) == -1)
+                       goto out;
+               ofs = CDF_GETUINT32(p, tail);
                 q = (const uint8_t *)(const void *)
                     ((const char *)(const void *)p + ofs
                     - 2 * sizeof(uint32_t));
author	Remi Collet <remi@php.net>
	Tue, 10 Jun 2014 12:33:37 +0000 (14:33 +0200)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:21:01 +0000 (16:21 -0700)