|
|
af9dc8 |
From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Remi Collet <remi@php.net>
|
|
|
af9dc8 |
Date: Tue, 10 Jun 2014 14:33:37 +0200
|
|
|
af9dc8 |
Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info
|
|
|
af9dc8 |
insufficient boundary chec
|
|
|
af9dc8 |
|
|
|
af9dc8 |
Upstream:
|
|
|
af9dc8 |
https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
|
|
|
af9dc8 |
|
|
|
af9dc8 |
Adapted for C standard.
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
ext/fileinfo/libmagic/cdf.c | 6 +++++-
|
|
|
af9dc8 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
|
|
|
af9dc8 |
index ee467a6..429f3b9 100644
|
|
|
af9dc8 |
--- a/ext/fileinfo/libmagic/cdf.c
|
|
|
af9dc8 |
+++ b/ext/fileinfo/libmagic/cdf.c
|
|
|
af9dc8 |
@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
|
|
af9dc8 |
if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
|
|
|
af9dc8 |
goto out;
|
|
|
af9dc8 |
for (i = 0; i < sh.sh_properties; i++) {
|
|
|
af9dc8 |
- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
|
|
|
af9dc8 |
+ size_t ofs, tail = (i << 1) + 1;
|
|
|
af9dc8 |
+ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
|
|
|
af9dc8 |
+ __LINE__) == -1)
|
|
|
af9dc8 |
+ goto out;
|
|
|
af9dc8 |
+ ofs = CDF_GETUINT32(p, tail);
|
|
|
af9dc8 |
q = (const uint8_t *)(const void *)
|
|
|
af9dc8 |
((const char *)(const void *)p + ofs
|
|
|
af9dc8 |
- 2 * sizeof(uint32_t));
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
1.9.2
|
|
|
af9dc8 |
|