Bug #67412 fileinfo: cdf_count_chain insufficient boundary check

author Remi Collet <remi@php.net>

Tue, 10 Jun 2014 12:22:04 +0000 (14:22 +0200)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:20:19 +0000 (16:20 -0700)
author Remi Collet <remi@php.net>
Tue, 10 Jun 2014 12:22:04 +0000 (14:22 +0200)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:20:19 +0000 (16:20 -0700)
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c

index 5dce5ced5801070b2f732ad90d301458905cefda..3b6f4881d971d181b823cdceedc943c3abd41e80 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -470,7 +470,8 @@ size_t
  cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
  {
         size_t i, j;
-       cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
+       cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
+           / sizeof(maxsector));
  
         DPRINTF(("Chain:"));
         for (j = i = 0; sid >= 0; i++, j++) {
@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
                         errno = EFTYPE;
                         return (size_t)-1;
                 }
-               if (sid > maxsector) {
-                       DPRINTF(("Sector %d > %d\n", sid, maxsector));
+               if (sid >= maxsector) {
+                       DPRINTF(("Sector %d >= %d\n", sid, maxsector));
                         errno = EFTYPE;
                         return (size_t)-1;
                 }
author	Remi Collet <remi@php.net>
	Tue, 10 Jun 2014 12:22:04 +0000 (14:22 +0200)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:20:19 +0000 (16:20 -0700)