Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5: NEWS NEWS Fixed Bug #67411 fileinfo: cdf_check_stream_offset insufficient boundary check
author: Remi Collet <remi@php.net> 2014-06-10 14:16:39 +0200
committer: Remi Collet <remi@php.net> 2014-06-10 14:16:39 +0200
commit: 1d6286c049cbe57877f12b17d38d3a55a7f7d36f (patch)
tree: 9b96291412eab86d0d5e1ed7499d390fcfc54f34 /ext/fileinfo
parent: 7f8fa470f175fc46941d980b140f98d880200e4d (diff)
parent: 9d0ca077eea762e9d89523ec33c903525b39e16d (diff)
download: php-git-1d6286c049cbe57877f12b17d38d3a55a7f7d36f.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index cbe3b0cf77..13ed530dcc 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
 {
 	const char *b = (const char *)sst->sst_tab;
 	const char *e = ((const char *)p) + tail;
+	size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
+	    CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
 	(void)&line;
-	if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len)
+	if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
 		return 0;
 	DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u"
 	    " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
 	    SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
-	    CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
+	    ss * sst->sst_len, ss, sst->sst_len));
 	errno = EFTYPE;
 	return -1;
 }
author	Remi Collet <remi@php.net>	2014-06-10 14:16:39 +0200
committer	Remi Collet <remi@php.net>	2014-06-10 14:16:39 +0200
commit	1d6286c049cbe57877f12b17d38d3a55a7f7d36f (patch)
tree	9b96291412eab86d0d5e1ed7499d390fcfc54f34 /ext/fileinfo
parent	7f8fa470f175fc46941d980b140f98d880200e4d (diff)
parent	9d0ca077eea762e9d89523ec33c903525b39e16d (diff)
download	php-git-1d6286c049cbe57877f12b17d38d3a55a7f7d36f.tar.gz