You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
32 lines
1.1 KiB
32 lines
1.1 KiB
From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 |
|
From: Remi Collet <remi@php.net> |
|
Date: Tue, 3 Jun 2014 11:05:00 +0200 |
|
Subject: [PATCH] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient |
|
boundary check |
|
|
|
Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch |
|
Only revelant part applied |
|
--- |
|
ext/fileinfo/libmagic/cdf.c | 4 ++-- |
|
1 file changed, 2 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c |
|
index 4712e84..16649f1 100644 |
|
--- a/src/cdf.c |
|
+++ b/src/cdf.c |
|
@@ -352,10 +352,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, |
|
size_t ss = CDF_SHORT_SEC_SIZE(h); |
|
size_t pos = CDF_SHORT_SEC_POS(h, id); |
|
assert(ss == len); |
|
- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { |
|
+ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { |
|
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" |
|
SIZE_T_FORMAT "u\n", |
|
- pos, CDF_SEC_SIZE(h) * sst->sst_len)); |
|
+ pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); |
|
return -1; |
|
} |
|
(void)memcpy(((char *)buf) + offs, |
|
-- |
|
1.9.2 |
|
|
|
|