Blame SOURCES/file-5.11-CVE-2014-3480.patch

0233e9
From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001
0233e9
From: Remi Collet <remi@php.net>
0233e9
Date: Tue, 10 Jun 2014 14:22:04 +0200
0233e9
Subject: [PATCH] Bug #67412 	fileinfo: cdf_count_chain insufficient
0233e9
 boundary check
0233e9
0233e9
Upstream:
0233e9
https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
0233e9
---
0233e9
 ext/fileinfo/libmagic/cdf.c | 7 ++++---
0233e9
 1 file changed, 4 insertions(+), 3 deletions(-)
0233e9
0233e9
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
0233e9
index c9a5d50..ee467a6 100644
0233e9
--- a/src/cdf.c
0233e9
+++ b/src/cdf.c
83d9a8
@@ -457,7 +457,8 @@ size_t
0233e9
 cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
0233e9
 {
0233e9
 	size_t i, j;
0233e9
-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
0233e9
+	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
0233e9
+	    / sizeof(maxsector));
0233e9
 
0233e9
 	DPRINTF(("Chain:"));
0233e9
 	for (j = i = 0; sid >= 0; i++, j++) {
83d9a8
@@ -467,8 +468,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
0233e9
 			errno = EFTYPE;
0233e9
 			return (size_t)-1;
0233e9
 		}
0233e9
-		if (sid > maxsector) {
0233e9
-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
0233e9
+		if (sid >= maxsector) {
0233e9
+			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
0233e9
 			errno = EFTYPE;
0233e9
 			return (size_t)-1;
0233e9
 		}
0233e9
-- 
0233e9
1.9.2
0233e9