From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Tue, 10 Jun 2014 14:22:04 +0200
Subject: [PATCH 1/3] Bug #67412 	fileinfo: cdf_count_chain insufficient
 boundary check

Upstream:
https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
---
 ext/fileinfo/libmagic/cdf.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index c9a5d50a35b..ee467a6671e 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -470,7 +470,8 @@ size_t
 cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 {
 	size_t i, j;
-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
+	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
+	    / sizeof(maxsector));
 
 	DPRINTF(("Chain:"));
 	for (j = i = 0; sid >= 0; i++, j++) {
@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 			errno = EFTYPE;
 			return (size_t)-1;
 		}
-		if (sid > maxsector) {
-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
+		if (sid >= maxsector) {
+			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
 			errno = EFTYPE;
 			return (size_t)-1;
 		}

From da5d40bae6505364c3604385a2b6ae4e27a4a5d6 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Tue, 10 Jun 2014 14:23:31 +0200
Subject: [PATCH 2/3] NEWS

---
 NEWS | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 325709912d4..f429d680ed3 100644
--- a/NEWS
+++ b/NEWS
@@ -23,9 +23,11 @@ PHP                                                                        NEWS
   . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary 
     check). 
   . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
-    string size). (Francisco Alonso, Remi)
+    string size). (Francisco Alonso, Jan Kaluza, Remi)
   . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
-    check). (Francisco Alonso, Remi)
+    check). (Francisco Alonso, Jan Kaluza, Remi)
+  . Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check).
+    ((Francisco Alonso, Jan Kaluza, Remi)
 
 - OpenSSL:
   . Fixed bug #65698 (certificates validity parsing does not work past 2050). 

From 20b03c84ec0d66a017a06f3c1fcbf8ffdf62c1a7 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Tue, 10 Jun 2014 14:24:00 +0200
Subject: [PATCH 3/3] NEWS

---
 NEWS | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 02f858ee71c..52eec6b657c 100644
--- a/NEWS
+++ b/NEWS
@@ -22,9 +22,11 @@ PHP                                                                        NEWS
 - Fileinfo:
   . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).
   . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
-    string size). (Francisco Alonso, Remi)
+    string size). (Francisco Alonso, Jan Kaluza, Remi)
   . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
-    check). (Francisco Alonso, Remi)
+    check). (Francisco Alonso, Jan Kaluza, Remi)
+  . Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check).
+    ((Francisco Alonso, Jan Kaluza, Remi)
 
 - OPCache:
   . Fixed issue #183 (TMP_VAR is not only used once). (Dmitry, Laruence)