diff options
| author | Remi Collet <remi@php.net> | 2014-06-03 11:09:04 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2014-06-03 11:09:04 +0200 |
| commit | 2d59b87527f1df6101f56e99c20a687afb19b281 (patch) | |
| tree | a70891fdf7a258a97ae4a0c8b2409fb7ed42d30a | |
| parent | 0218e4eb19c080d131c2b4d75ef9543e0e12c146 (diff) | |
| parent | 21986f98dbdc4e4dc556bb5f006d8fc8bbaebbe2 (diff) | |
| download | php-git-2d59b87527f1df6101f56e99c20a687afb19b281.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
NEWS
Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check
| -rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 4712e84942..16649f193f 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, size_t ss = CDF_SHORT_SEC_SIZE(h); size_t pos = CDF_SHORT_SEC_POS(h, id); assert(ss == len); - if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { + if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", - pos, CDF_SEC_SIZE(h) * sst->sst_len)); + pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); return -1; } (void)memcpy(((char *)buf) + offs, |