]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 38be99b)
Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check
authorRemi Collet <remi@php.net>
Tue, 3 Jun 2014 09:05:00 +0000 (11:05 +0200)
committerRemi Collet <remi@php.net>
Tue, 3 Jun 2014 09:05:00 +0000 (11:05 +0200)
Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
Only revelant part applied

ext/fileinfo/libmagic/cdf.c patch | blob | history

diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 4712e84942eae72ce63a85a5ea5109cfd7ffe386..16649f193fbce5336369f30ce23cad3fd24f87aa 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
        size_t ss = CDF_SHORT_SEC_SIZE(h);
        size_t pos = CDF_SHORT_SEC_POS(h, id);
        assert(ss == len);
-       if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+       if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
                DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
                    SIZE_T_FORMAT "u\n",
-                   pos, CDF_SEC_SIZE(h) * sst->sst_len));
+                   pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
                return -1;
        }
        (void)memcpy(((char *)buf) + offs,
Unnamed repository; edit this file 'description' to name the repository.