Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4: NEWS Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec
author: Remi Collet <remi@php.net> 2014-06-10 14:35:23 +0200
committer: Remi Collet <remi@php.net> 2014-06-10 14:35:23 +0200
commit: 12a62ce868e9f83157ccd942d8e97c025d19f63c (patch)
tree: c573d9c8fa1dba72f5e331873ede096c6fa84110
parent: 20b03c84ec0d66a017a06f3c1fcbf8ffdf62c1a7 (diff)
parent: 6256b79a3531bd9f0f57c09526a5fd033e418c60 (diff)
download: php-git-12a62ce868e9f83157ccd942d8e97c025d19f63c.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index ee467a6671..429f3b952f 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
 		goto out;
 	for (i = 0; i < sh.sh_properties; i++) {
-		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
+		size_t ofs, tail = (i << 1) + 1;
+		if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
+		    __LINE__) == -1)
+			goto out;
+		ofs = CDF_GETUINT32(p, tail);
 		q = (const uint8_t *)(const void *)
 		    ((const char *)(const void *)p + ofs
 		    - 2 * sizeof(uint32_t));
author	Remi Collet <remi@php.net>	2014-06-10 14:35:23 +0200
committer	Remi Collet <remi@php.net>	2014-06-10 14:35:23 +0200
commit	12a62ce868e9f83157ccd942d8e97c025d19f63c (patch)
tree	c573d9c8fa1dba72f5e331873ede096c6fa84110
parent	20b03c84ec0d66a017a06f3c1fcbf8ffdf62c1a7 (diff)
parent	6256b79a3531bd9f0f57c09526a5fd033e418c60 (diff)
download	php-git-12a62ce868e9f83157ccd942d8e97c025d19f63c.tar.gz