diff options
author | Remi Collet <remi@php.net> | 2014-06-10 14:23:37 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2014-06-10 14:23:37 +0200 |
commit | ff66c90af07b24882dd3a5b40b199778faaaaa6c (patch) | |
tree | 8e4734ffd1e81075e6b8c5991710694552ed130e | |
parent | 9d0ca077eea762e9d89523ec33c903525b39e16d (diff) | |
parent | da5d40bae6505364c3604385a2b6ae4e27a4a5d6 (diff) | |
download | php-git-ff66c90af07b24882dd3a5b40b199778faaaaa6c.tar.gz |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
NEWS
Bug #67412 fileinfo: cdf_count_chain insufficient boundary check
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index c9a5d50a35..ee467a6671 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -470,7 +470,8 @@ size_t cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) { size_t i, j; - cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size); + cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) + / sizeof(maxsector)); DPRINTF(("Chain:")); for (j = i = 0; sid >= 0; i++, j++) { @@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) errno = EFTYPE; return (size_t)-1; } - if (sid > maxsector) { - DPRINTF(("Sector %d > %d\n", sid, maxsector)); + if (sid >= maxsector) { + DPRINTF(("Sector %d >= %d\n", sid, maxsector)); errno = EFTYPE; return (size_t)-1; } |