Fix off-by-one detecting \r\n (Jonas Wagner)

The bug was found using FUSS, the Fuzzer on a Shoestring. This is a
research project done at the Dependable Systems Lab, EPFL, Switzerland.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/softmagic.c b/src/softmagic.c
index 80b02461..8f5314c7 100644
--- a/src/softmagic.c
+++ b/src/softmagic.c
@@ -32,7 +32,7 @@
 #include "file.h"
 
 #ifndef	lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.236 2016/07/20 11:27:08 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.237 2016/10/10 20:44:15 christos Exp $")
 #endif	/* lint */
 
 #include "magic.h"
@@ -1227,7 +1227,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 				 memchr(c, '\r', CAST(size_t, (end - c))))));
 			     lines--, b++) {
 				last = b;
-				if (b[0] == '\r' && b[1] == '\n')
+				if (b < end - 1 && b[0] == '\r' && b[1] == '\n')
 					b++;
 			}
 			if (lines)