From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 10 Jun 2014 14:33:37 +0200 Subject: [PATCH 1/2] Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec Upstream: https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d Adapted for C standard. --- ext/fileinfo/libmagic/cdf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index ee467a6671e..429f3b952f6 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) goto out; for (i = 0; i < sh.sh_properties; i++) { - size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); + size_t ofs, tail = (i << 1) + 1; + if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), + __LINE__) == -1) + goto out; + ofs = CDF_GETUINT32(p, tail); q = (const uint8_t *)(const void *) ((const char *)(const void *)p + ofs - 2 * sizeof(uint32_t)); From 6256b79a3531bd9f0f57c09526a5fd033e418c60 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 10 Jun 2014 14:35:14 +0200 Subject: [PATCH 2/2] NEWS --- NEWS | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index f429d680ed3..e8465491038 100644 --- a/NEWS +++ b/NEWS @@ -27,7 +27,9 @@ PHP NEWS . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary check). (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). - ((Francisco Alonso, Jan Kaluza, Remi) + (Francisco Alonso, Jan Kaluza, Remi) + . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary + check). (Francisco Alonso, Jan Kaluza, Remi) - OpenSSL: . Fixed bug #65698 (certificates validity parsing does not work past 2050).