Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check

author Remi Collet <remi@php.net>

Tue, 3 Jun 2014 09:05:00 +0000 (11:05 +0200)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:13:07 +0000 (16:13 -0700)
author Remi Collet <remi@php.net>
Tue, 3 Jun 2014 09:05:00 +0000 (11:05 +0200)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:13:07 +0000 (16:13 -0700)
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c

index ea67966c49ba46aacbb0f523363344863ba75d3f..f57753a9565b174cd1079eac8974c2e7dc9ba047 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
         size_t ss = CDF_SHORT_SEC_SIZE(h);
         size_t pos = CDF_SHORT_SEC_POS(h, id);
         assert(ss == len);
-       if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+       if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
                 DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
                     SIZE_T_FORMAT "u\n",
-                   pos, CDF_SEC_SIZE(h) * sst->sst_len));
+                   pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
                 return -1;
         }
         (void)memcpy(((char *)buf) + offs,
author	Remi Collet <remi@php.net>
	Tue, 3 Jun 2014 09:05:00 +0000 (11:05 +0200)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:13:07 +0000 (16:13 -0700)