From c21955ff3fb6c3fe45e3a96492d790acb1ca4030 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Tue, 3 Jun 2014 14:06:47 +0200
Subject: PHP 5.5.13: apply 2 upstream fix

---
 php-bug67326.patch | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 php-bug67326.patch

(limited to 'php-bug67326.patch')

diff --git a/php-bug67326.patch b/php-bug67326.patch
new file mode 100644
index 0000000..2e7b0b1
--- /dev/null
+++ b/php-bug67326.patch
@@ -0,0 +1,32 @@
+From 4fcb9a9d1b1063a65fbeb27395de4979c75bd962 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 3 Jun 2014 11:05:00 +0200
+Subject: [PATCH] Fix bug #67326	fileinfo: cdf_read_short_sector insufficient
+ boundary check
+
+Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
+Only revelant part applied
+---
+ ext/fileinfo/libmagic/cdf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 4712e84..16649f1 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+ 	size_t ss = CDF_SHORT_SEC_SIZE(h);
+ 	size_t pos = CDF_SHORT_SEC_POS(h, id);
+ 	assert(ss == len);
+-	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
++	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
+ 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
+ 		    SIZE_T_FORMAT "u\n",
+-		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
++		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
+ 		return -1;
+ 	}
+ 	(void)memcpy(((char *)buf) + offs,
+-- 
+1.9.2
+
-- 
cgit