Fixed Bug #67411 fileinfo: cdf_check_stream_offset insufficient boundary check

author Remi Collet <remi@php.net>

Tue, 10 Jun 2014 12:13:14 +0000 (14:13 +0200)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:19:30 +0000 (16:19 -0700)
author Remi Collet <remi@php.net>
Tue, 10 Jun 2014 12:13:14 +0000 (14:13 +0200)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:19:30 +0000 (16:19 -0700)
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c

index f57753a9565b174cd1079eac8974c2e7dc9ba047..5dce5ced5801070b2f732ad90d301458905cefda 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
  {
         const char *b = (const char *)sst->sst_tab;
         const char *e = ((const char *)p) + tail;
+       size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
+           CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
         (void)&line;
-       if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
+       if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
                 return 0;
         DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
             " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
             SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
-           CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
+           ss * sst->sst_len, ss, sst->sst_len));
         errno = EFTYPE;
         return -1;
  }
author	Remi Collet <remi@php.net>
	Tue, 10 Jun 2014 12:13:14 +0000 (14:13 +0200)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:19:30 +0000 (16:19 -0700)