Blame SOURCES/file-5.11-CVE-2014-3487.patch

89be67
From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001
89be67
From: Remi Collet <remi@php.net>
89be67
Date: Tue, 10 Jun 2014 14:33:37 +0200
89be67
Subject: [PATCH] Fixed Bug #67413 	fileinfo: cdf_read_property_info
89be67
 insufficient boundary chec
89be67
89be67
Upstream:
89be67
https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
89be67
89be67
Adapted for C standard.
89be67
---
89be67
 ext/fileinfo/libmagic/cdf.c | 6 +++++-
89be67
 1 file changed, 5 insertions(+), 1 deletion(-)
89be67
89be67
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
89be67
index ee467a6..429f3b9 100644
89be67
--- a/src/cdf.c
89be67
+++ b/src/cdf.c
89be67
@@ -799,7 +799,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
89be67
 	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
89be67
 		goto out;
89be67
 	for (i = 0; i < sh.sh_properties; i++) {
89be67
-		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
89be67
+		size_t ofs, tail = (i << 1) + 1;
89be67
+		if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
89be67
+		    __LINE__) == -1)
89be67
+			goto out;
89be67
+		ofs = CDF_GETUINT32(p, tail);
89be67
 		q = (const uint8_t *)(const void *)
89be67
 		    ((const char *)(const void *)p + ofs
89be67
 		    - 2 * sizeof(uint32_t));
89be67
-- 
89be67
1.9.2
89be67