File: CVE-2014-0207.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (24 lines) | stat: -rw-r--r-- 956 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
Index: php5-5.3.3/ext/fileinfo/libmagic/cdf.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/cdf.c	2014-07-18 11:05:27.000000000 +0200
+++ php5-5.3.3/ext/fileinfo/libmagic/cdf.c	2014-07-18 11:05:27.000000000 +0200
@@ -322,9 +322,17 @@
 cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
     size_t len, const cdf_header_t *h, cdf_secid_t id)
 {
-	assert((size_t)CDF_SHORT_SEC_SIZE(h) == len);
+	size_t ss = CDF_SHORT_SEC_SIZE(h);
+	size_t pos = CDF_SHORT_SEC_POS(h, id);
+	assert(ss == len);
+	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
+		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
+		    SIZE_T_FORMAT "u\n",
+		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
+		return -1;
+	}
 	(void)memcpy(((char *)buf) + offs,
-	    ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len);
+	    ((const char *)sst->sst_tab) + pos, len);
 	return len;
 }