Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4: NEWS Bug #67412 fileinfo: cdf_count_chain insufficient boundary check
author: Remi Collet <remi@php.net> 2014-06-10 14:23:37 +0200
committer: Remi Collet <remi@php.net> 2014-06-10 14:23:37 +0200
commit: ff66c90af07b24882dd3a5b40b199778faaaaa6c (patch)
tree: 8e4734ffd1e81075e6b8c5991710694552ed130e
parent: 9d0ca077eea762e9d89523ec33c903525b39e16d (diff)
parent: da5d40bae6505364c3604385a2b6ae4e27a4a5d6 (diff)
download: php-git-ff66c90af07b24882dd3a5b40b199778faaaaa6c.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index c9a5d50a35..ee467a6671 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -470,7 +470,8 @@ size_t
 cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 {
 	size_t i, j;
-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
+	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
+	    / sizeof(maxsector));
 
 	DPRINTF(("Chain:"));
 	for (j = i = 0; sid >= 0; i++, j++) {
@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 			errno = EFTYPE;
 			return (size_t)-1;
 		}
-		if (sid > maxsector) {
-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
+		if (sid >= maxsector) {
+			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
 			errno = EFTYPE;
 			return (size_t)-1;
 		}
author	Remi Collet <remi@php.net>	2014-06-10 14:23:37 +0200
committer	Remi Collet <remi@php.net>	2014-06-10 14:23:37 +0200
commit	ff66c90af07b24882dd3a5b40b199778faaaaa6c (patch)
tree	8e4734ffd1e81075e6b8c5991710694552ed130e
parent	9d0ca077eea762e9d89523ec33c903525b39e16d (diff)
parent	da5d40bae6505364c3604385a2b6ae4e27a4a5d6 (diff)
download	php-git-ff66c90af07b24882dd3a5b40b199778faaaaa6c.tar.gz