Bug #67412 fileinfo: cdf_count_chain insufficient boundary check

Upstream: https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
author: Remi Collet <remi@php.net> 2014-06-10 14:22:04 +0200
committer: Stanislav Malyshev <stas@php.net> 2014-07-18 16:20:19 -0700
commit: 892def5f12716c9f926588bd2190acd6ea99a3a0 (patch)
tree: 767c1497bdae79b7762533c370528633501f489d
parent: 8d1d03850955855b86f949b43e532ef8c22c1cc3 (diff)
download: php-git-892def5f12716c9f926588bd2190acd6ea99a3a0.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 5dce5ced58..3b6f4881d9 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -470,7 +470,8 @@ size_t
 cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 {
 	size_t i, j;
-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
+	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
+	    / sizeof(maxsector));
 
 	DPRINTF(("Chain:"));
 	for (j = i = 0; sid >= 0; i++, j++) {
@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 			errno = EFTYPE;
 			return (size_t)-1;
 		}
-		if (sid > maxsector) {
-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
+		if (sid >= maxsector) {
+			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
 			errno = EFTYPE;
 			return (size_t)-1;
 		}
author	Remi Collet <remi@php.net>	2014-06-10 14:22:04 +0200
committer	Stanislav Malyshev <stas@php.net>	2014-07-18 16:20:19 -0700
commit	892def5f12716c9f926588bd2190acd6ea99a3a0 (patch)
tree	767c1497bdae79b7762533c370528633501f489d
parent	8d1d03850955855b86f949b43e532ef8c22c1cc3 (diff)
download	php-git-892def5f12716c9f926588bd2190acd6ea99a3a0.tar.gz