|
 |
89be67 |
From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001
|
|
|
89be67 |
From: Remi Collet <remi@php.net>
|
|
|
89be67 |
Date: Tue, 10 Jun 2014 14:13:14 +0200
|
|
|
89be67 |
Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset
|
|
|
89be67 |
insufficient boundary check
|
|
|
89be67 |
|
|
|
89be67 |
Upstream:
|
|
|
89be67 |
https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
|
|
|
89be67 |
---
|
|
|
89be67 |
ext/fileinfo/libmagic/cdf.c | 6 ++++--
|
|
|
89be67 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
89be67 |
|
|
|
89be67 |
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
|
|
|
89be67 |
index 16649f1..c9a5d50 100644
|
|
|
89be67 |
--- a/src/cdf.c
|
|
|
89be67 |
+++ b/src/cdf.c
|
|
|
89be67 |
@@ -267,13 +267,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
|
|
|
89be67 |
{
|
|
|
89be67 |
const char *b = (const char *)sst->sst_tab;
|
|
|
89be67 |
const char *e = ((const char *)p) + tail;
|
|
|
89be67 |
+ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
|
|
|
89be67 |
+ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
|
|
|
89be67 |
(void)&line;
|
|
|
89be67 |
- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
|
|
|
89be67 |
+ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
|
|
|
89be67 |
return 0;
|
|
|
89be67 |
DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
|
|
|
89be67 |
" >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
|
|
|
89be67 |
SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
|
|
|
89be67 |
- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
|
|
|
89be67 |
+ ss * sst->sst_len, ss, sst->sst_len));
|
|
|
89be67 |
errno = EFTYPE;
|
|
|
89be67 |
return -1;
|
|
|
89be67 |
}
|
|
|
89be67 |
--
|
|
|
89be67 |
1.9.2
|
|
|
89be67 |
|