You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 lines
1.3 KiB
37 lines
1.3 KiB
From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001 |
|
From: Remi Collet <remi@php.net> |
|
Date: Tue, 10 Jun 2014 14:13:14 +0200 |
|
Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset |
|
insufficient boundary check |
|
|
|
Upstream: |
|
https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 |
|
--- |
|
ext/fileinfo/libmagic/cdf.c | 6 ++++-- |
|
1 file changed, 4 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c |
|
index 16649f1..c9a5d50 100644 |
|
--- a/src/cdf.c |
|
+++ b/src/cdf.c |
|
@@ -267,13 +267,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, |
|
{ |
|
const char *b = (const char *)sst->sst_tab; |
|
const char *e = ((const char *)p) + tail; |
|
+ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? |
|
+ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); |
|
(void)&line; |
|
- if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) |
|
+ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) |
|
return 0; |
|
DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" |
|
" >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" |
|
SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), |
|
- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); |
|
+ ss * sst->sst_len, ss, sst->sst_len)); |
|
errno = EFTYPE; |
|
return -1; |
|
} |
|
-- |
|
1.9.2 |
|
|
|
|