diff options
author | Remi Collet <remi@php.net> | 2014-06-10 14:33:37 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 16:21:01 -0700 |
commit | 2fe5bcbeb58bb1088f9fcdb9f02599880454b602 (patch) | |
tree | a0ba90c7fa9d7819876bb49622cec35fa2f82634 | |
parent | 892def5f12716c9f926588bd2190acd6ea99a3a0 (diff) | |
download | php-git-2fe5bcbeb58bb1088f9fcdb9f02599880454b602.tar.gz |
Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec
Upstream:
https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
Adapted for C standard.
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 3b6f4881d9..958cf8276c 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) goto out; for (i = 0; i < sh.sh_properties; i++) { - size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); + size_t ofs, tail = (i << 1) + 1; + if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), + __LINE__) == -1) + goto out; + ofs = CDF_GETUINT32(p, tail); q = (const uint8_t *)(const void *) ((const char *)(const void *)p + ofs - 2 * sizeof(uint32_t)); |