Overview

File php-5.4.20-CVE-2014-0207.patch of Package php5.openSUSE_13.1_Update

From: Remi Collet <remi@php.net>
Date: Tue, 3 Jun 2014 09:05:00 +0000 (+0200)
Subject: Fix bug #67326	fileinfo: cdf_read_short_sector insufficient boundary check
X-Git-Tag: php-5.4.30RC1~33
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=4fcb9a9d1b1063a65fbeb27395de4979c75bd962

Fix bug #67326	fileinfo: cdf_read_short_sector insufficient boundary check

Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
Only revelant part applied
---

diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 4712e84..16649f1 100644
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
 	size_t ss = CDF_SHORT_SEC_SIZE(h);
 	size_t pos = CDF_SHORT_SEC_POS(h, id);
 	assert(ss == len);
-	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
 		    SIZE_T_FORMAT "u\n",
-		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
+		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
 		return -1;
 	}
 	(void)memcpy(((char *)buf) + offs,
openSUSE Build Service is sponsored by
Places