From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 3 Jun 2014 11:05:00 +0200 Subject: [PATCH 1/2] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch Only revelant part applied --- ext/fileinfo/libmagic/cdf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 4712e84942e..16649f193fb 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, size_t ss = CDF_SHORT_SEC_SIZE(h); size_t pos = CDF_SHORT_SEC_POS(h, id); assert(ss == len); - if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { + if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", - pos, CDF_SEC_SIZE(h) * sst->sst_len)); + pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); return -1; } (void)memcpy(((char *)buf) + offs, From 21986f98dbdc4e4dc556bb5f006d8fc8bbaebbe2 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 3 Jun 2014 11:08:46 +0200 Subject: [PATCH 2/2] NEWS --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 04058b61a8f..6c2e5acdb1b 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ PHP NEWS . Fixed bug #67308 (Serialize of DateTime truncates fractions of second). (Adam) +- Fileinfo: + . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check). + - SPL: . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam)