Fix off-by-one detecting \r\n (Jonas Wagner)

The bug was found using FUSS, the Fuzzer on a Shoestring. This is a
research project done at the Dependable Systems Lab, EPFL, Switzerland.

diff --git a/src/softmagic.c b/src/softmagic.c
index 80b02461490c2318a6095bee0b67a18135490d9c..8f5314c76c341b58ba91840729938fdd7f344cc8 100644 (file)
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -32,7 +32,7 @@
 #include "file.h"
 
 #ifndef        lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.236 2016/07/20 11:27:08 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.237 2016/10/10 20:44:15 christos Exp $")
 #endif /* lint */
 
 #include "magic.h"
@@ -1227,7 +1227,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
                                 memchr(c, '\r', CAST(size_t, (end - c))))));
                             lines--, b++) {
                                last = b;
-                               if (b[0] == '\r' && b[1] == '\n')
+                               if (b < end - 1 && b[0] == '\r' && b[1] == '\n')
                                        b++;
                        }
                        if (lines)