diff options
author | Remi Collet <remi@php.net> | 2014-06-10 14:22:04 +0200 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 16:20:19 -0700 |
commit | 892def5f12716c9f926588bd2190acd6ea99a3a0 (patch) | |
tree | 767c1497bdae79b7762533c370528633501f489d | |
parent | 8d1d03850955855b86f949b43e532ef8c22c1cc3 (diff) | |
download | php-git-892def5f12716c9f926588bd2190acd6ea99a3a0.tar.gz |
Bug #67412 fileinfo: cdf_count_chain insufficient boundary check
Upstream:
https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 5dce5ced58..3b6f4881d9 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -470,7 +470,8 @@ size_t cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) { size_t i, j; - cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size); + cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) + / sizeof(maxsector)); DPRINTF(("Chain:")); for (j = i = 0; sid >= 0; i++, j++) { @@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) errno = EFTYPE; return (size_t)-1; } - if (sid > maxsector) { - DPRINTF(("Sector %d > %d\n", sid, maxsector)); + if (sid >= maxsector) { + DPRINTF(("Sector %d >= %d\n", sid, maxsector)); errno = EFTYPE; return (size_t)-1; } |