diff options
author | Remi Collet <remi@php.net> | 2014-06-03 11:05:00 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 16:13:07 -0700 |
commit | 52de149ebccfea4b63da2e5bacf6f60a1bfc7ffb (patch) | |
tree | d53034a1d9ef0148b11a6078953bad0f7dcdd155 | |
parent | 2326401fc197cb88141561d3d51eccd7ac59fede (diff) | |
download | php-git-52de149ebccfea4b63da2e5bacf6f60a1bfc7ffb.tar.gz |
Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check
Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
Only revelant part applied
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index ea67966c49..f57753a956 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, size_t ss = CDF_SHORT_SEC_SIZE(h); size_t pos = CDF_SHORT_SEC_POS(h, id); assert(ss == len); - if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { + if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", - pos, CDF_SEC_SIZE(h) * sst->sst_len)); + pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); return -1; } (void)memcpy(((char *)buf) + offs, |