diff options
author | Remi Collet <remi@php.net> | 2014-06-10 14:13:14 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 16:19:30 -0700 |
commit | 8d1d03850955855b86f949b43e532ef8c22c1cc3 (patch) | |
tree | 513906c3e4e35dc99ffc725b1cb6b9d756d4b450 | |
parent | 6bd5a06894fa2f8c1b53bf92fb809d911b740e84 (diff) | |
download | php-git-8d1d03850955855b86f949b43e532ef8c22c1cc3.tar.gz |
Fixed Bug #67411 fileinfo: cdf_check_stream_offset insufficient boundary check
Upstream:
https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
Conflicts:
ext/fileinfo/libmagic/cdf.c
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index f57753a956..5dce5ced58 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, { const char *b = (const char *)sst->sst_tab; const char *e = ((const char *)p) + tail; + size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? + CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); (void)&line; - if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) + if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) return 0; DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), - CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); + ss * sst->sst_len, ss, sst->sst_len)); errno = EFTYPE; return -1; } |