1 files changed, 37 insertions, 0 deletions

diff --git a/php-bug67411.patch b/php-bug67411.patch
new file mode 100644
index 0000000..27c0204
--- /dev/null
+++ b/php-bug67411.patch
@@ -0,0 +1,37 @@
+From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:13:14 +0200
+Subject: [PATCH] Fixed Bug #67411 	fileinfo: cdf_check_stream_offset
+ insufficient boundary check
+
+Upstream:
+https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
+---
+ ext/fileinfo/libmagic/cdf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 16649f1..c9a5d50 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
+ {
+ 	const char *b = (const char *)sst->sst_tab;
+ 	const char *e = ((const char *)p) + tail;
++	size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
++	    CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
+ 	(void)&line;
+-	if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len)
++	if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
+ 		return 0;
+ 	DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u"
+ 	    " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
+ 	    SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
+-	    CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
++	    ss * sst->sst_len, ss, sst->sst_len));
+ 	errno = EFTYPE;
+ 	return -1;
+ }
+-- 
+1.9.2
+