|
 |
b6cbd1 |
From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001
|
|
|
b6cbd1 |
From: Remi Collet <remi@php.net>
|
|
|
b6cbd1 |
Date: Tue, 3 Jun 2014 11:05:00 +0200
|
|
|
b6cbd1 |
Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient
|
|
|
b6cbd1 |
boundary check
|
|
|
b6cbd1 |
|
|
|
b6cbd1 |
Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
|
|
|
b6cbd1 |
Only revelant part applied
|
|
|
b6cbd1 |
---
|
|
|
b6cbd1 |
ext/fileinfo/libmagic/cdf.c | 4 ++--
|
|
|
b6cbd1 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
b6cbd1 |
|
|
|
b6cbd1 |
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
|
|
|
b6cbd1 |
index 4712e84..16649f1 100644
|
|
|
b6cbd1 |
--- a/ext/fileinfo/libmagic/cdf.c
|
|
|
b6cbd1 |
+++ b/ext/fileinfo/libmagic/cdf.c
|
|
|
b6cbd1 |
@@ -367,10 +367,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
|
|
|
b6cbd1 |
size_t ss = CDF_SHORT_SEC_SIZE(h);
|
|
|
b6cbd1 |
size_t pos = CDF_SHORT_SEC_POS(h, id);
|
|
|
b6cbd1 |
assert(ss == len);
|
|
|
b6cbd1 |
- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
|
|
|
b6cbd1 |
+ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
|
|
|
b6cbd1 |
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
|
|
|
b6cbd1 |
SIZE_T_FORMAT "u\n",
|
|
|
b6cbd1 |
- pos, CDF_SEC_SIZE(h) * sst->sst_len));
|
|
|
b6cbd1 |
+ pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
|
|
|
b6cbd1 |
return -1;
|
|
|
b6cbd1 |
}
|
|
|
b6cbd1 |
(void)memcpy(((char *)buf) + offs,
|
|
|
b6cbd1 |
--
|
|
|
b6cbd1 |
1.9.2
|
|
|
b6cbd1 |
|