[packages/php.git] / php-5.3.3-CVE-2014-2270.patch

diff --git a/src/softmagic.c b/src/softmagic.c
index 1f02fec..58a1cf7 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
 private void cvt_32(union VALUETYPE *, const struct magic *);
 private void cvt_64(union VALUETYPE *, const struct magic *);
 
+#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
 /*
  * softmagic - lookup one file in parsed, in-memory copy of database
  * Passed the name and FILE * of one file to be typed.
@@ -1065,6 +1066,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 {
 	uint32_t offset = ms->offset;
 	uint32_t count = m->str_range;
+	uint32_t lhs;
 	union VALUETYPE *p = &ms->ms_value;
 
 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
@@ -1116,7 +1118,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 		}
 		switch (m->in_type) {
 		case FILE_BYTE:
-			if (nbytes < (offset + 1))
+			if (OFFSET_OOB(nbytes, offset, 1))
 				return 0;
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
@@ -1151,111 +1153,79 @@ mget(struct magic_set *ms, const unsigned char *s,
 				offset = ~offset;
 			break;
 		case FILE_BESHORT:
-			if (nbytes < (offset + 2))
+			if (OFFSET_OOB(nbytes, offset, 2))
 				return 0;
+			lhs = (p->hs[0] << 8) | p->hs[1];
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
 				case FILE_OPAND:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) &
-						 off;
+					offset = lhs & off;
 					break;
 				case FILE_OPOR:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) |
-						 off;
+					offset = lhs | off;
 					break;
 				case FILE_OPXOR:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) ^
-						 off;
+					offset = lhs ^ off;
 					break;
 				case FILE_OPADD:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) +
-						 off;
+					offset = lhs + off;
 					break;
 				case FILE_OPMINUS:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) -
-						 off;
+					offset = lhs - off;
 					break;
 				case FILE_OPMULTIPLY:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) *
-						 off;
+					offset = lhs * off;
 					break;
 				case FILE_OPDIVIDE:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) /
-						 off;
+					offset = lhs / off;
 					break;
 				case FILE_OPMODULO:
-					offset = (short)((p->hs[0]<<8)|
-							 (p->hs[1])) %
-						 off;
+					offset = lhs % off;
 					break;
 				}
 			} else
-				offset = (short)((p->hs[0]<<8)|
-						 (p->hs[1]));
+				offset = lhs;
 			if (m->in_op & FILE_OPINVERSE)
 				offset = ~offset;
 			break;
 		case FILE_LESHORT:
-			if (nbytes < (offset + 2))
+			if (OFFSET_OOB(nbytes, offset, 2))
 				return 0;
+			lhs = (p->hs[1] << 8) | p->hs[0];
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
 				case FILE_OPAND:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) &
-						 off;
+					offset = lhs & off;
 					break;
 				case FILE_OPOR:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) |
-						 off;
+					offset = lhs | off;
 					break;
 				case FILE_OPXOR:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) ^
-						 off;
+					offset = lhs ^ off;
 					break;
 				case FILE_OPADD:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) +
-						 off;
+					offset = lhs + off;
 					break;
 				case FILE_OPMINUS:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) -
-						 off;
+					offset = lhs - off;
 					break;
 				case FILE_OPMULTIPLY:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) *
-						 off;
+					offset = lhs * off;
 					break;
 				case FILE_OPDIVIDE:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) /
-						 off;
+					offset = lhs / off;
 					break;
 				case FILE_OPMODULO:
-					offset = (short)((p->hs[1]<<8)|
-							 (p->hs[0])) %
-						 off;
+					offset = lhs % off;
 					break;
 				}
 			} else
-				offset = (short)((p->hs[1]<<8)|
-						 (p->hs[0]));
+				offset = lhs;
 			if (m->in_op & FILE_OPINVERSE)
 				offset = ~offset;
 			break;
 		case FILE_SHORT:
-			if (nbytes < (offset + 2))
+			if (OFFSET_OOB(nbytes, offset, 2))
 				return 0;
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
@@ -1292,218 +1262,119 @@ mget(struct magic_set *ms, const unsigned char *s,
 			break;
 		case FILE_BELONG:
 		case FILE_BEID3:
-			if (nbytes < (offset + 4))
+			if (OFFSET_OOB(nbytes, offset, 4))
 				return 0;
+			lhs = (p->hl[0] << 24) | (p->hl[1] << 16) |
+			    (p->hl[2] << 8) | p->hl[3];
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
 				case FILE_OPAND:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) &
-						 off;
+					offset = lhs & off;
 					break;
 				case FILE_OPOR:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) |
-						 off;
+					offset = lhs | off;
 					break;
 				case FILE_OPXOR:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) ^
-						 off;
+					offset = lhs ^ off;
 					break;
 				case FILE_OPADD:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) +
-						 off;
+					offset = lhs + off;
 					break;
 				case FILE_OPMINUS:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) -
-						 off;
+					offset = lhs - off;
 					break;
 				case FILE_OPMULTIPLY:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) *
-						 off;
+					offset = lhs * off;
 					break;
 				case FILE_OPDIVIDE:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) /
-						 off;
+					offset = lhs / off;
 					break;
 				case FILE_OPMODULO:
-					offset = (int32_t)((p->hl[0]<<24)|
-							 (p->hl[1]<<16)|
-							 (p->hl[2]<<8)|
-							 (p->hl[3])) %
-						 off;
+					offset = lhs % off;
 					break;
 				}
 			} else
-				offset = (int32_t)((p->hl[0]<<24)|
-						 (p->hl[1]<<16)|
-						 (p->hl[2]<<8)|
-						 (p->hl[3]));
+				offset = lhs;
 			if (m->in_op & FILE_OPINVERSE)
 				offset = ~offset;
 			break;
 		case FILE_LELONG:
 		case FILE_LEID3:
-			if (nbytes < (offset + 4))
+			if (OFFSET_OOB(nbytes, offset, 4))
 				return 0;
+			lhs = (p->hl[3] << 24) | (p->hl[2] << 16) |
+			    (p->hl[1] << 8) | p->hl[0];
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
 				case FILE_OPAND:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) &
-						 off;
+					offset = lhs & off;
 					break;
 				case FILE_OPOR:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) |
-						 off;
+					offset = lhs | off;
 					break;
 				case FILE_OPXOR:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) ^
-						 off;
+					offset = lhs ^ off;
 					break;
 				case FILE_OPADD:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) +
-						 off;
+					offset = lhs + off;
 					break;
 				case FILE_OPMINUS:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) -
-						 off;
+					offset = lhs - off;
 					break;
 				case FILE_OPMULTIPLY:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) *
-						 off;
+					offset = lhs * off;
 					break;
 				case FILE_OPDIVIDE:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) /
-						 off;
+					offset = lhs / off;
 					break;
 				case FILE_OPMODULO:
-					offset = (int32_t)((p->hl[3]<<24)|
-							 (p->hl[2]<<16)|
-							 (p->hl[1]<<8)|
-							 (p->hl[0])) %
-						 off;
+					offset = lhs % off;
 					break;
 				}
 			} else
-				offset = (int32_t)((p->hl[3]<<24)|
-						 (p->hl[2]<<16)|
-						 (p->hl[1]<<8)|
-						 (p->hl[0]));
+				offset = lhs;
 			if (m->in_op & FILE_OPINVERSE)
 				offset = ~offset;
 			break;
 		case FILE_MELONG:
-			if (nbytes < (offset + 4))
+			if (OFFSET_OOB(nbytes, offset, 4))
 				return 0;
+			lhs = (p->hl[1] << 24) | (p->hl[0] << 16) |
+			    (p->hl[3] << 8) | p->hl[2];
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
 				case FILE_OPAND:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) &
-						 off;
+					offset = lhs & off;
 					break;
 				case FILE_OPOR:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) |
-						 off;
+					offset = lhs | off;
 					break;
 				case FILE_OPXOR:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) ^
-						 off;
+					offset = lhs ^ off;
 					break;
 				case FILE_OPADD:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) +
-						 off;
+					offset = lhs + off;
 					break;
 				case FILE_OPMINUS:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) -
-						 off;
+					offset = lhs - off;
 					break;
 				case FILE_OPMULTIPLY:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) *
-						 off;
+					offset = lhs * off;
 					break;
 				case FILE_OPDIVIDE:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) /
-						 off;
+					offset = lhs / off;
 					break;
 				case FILE_OPMODULO:
-					offset = (int32_t)((p->hl[1]<<24)|
-							 (p->hl[0]<<16)|
-							 (p->hl[3]<<8)|
-							 (p->hl[2])) %
-						 off;
+					offset = lhs % off;
 					break;
 				}
 			} else
-				offset = (int32_t)((p->hl[1]<<24)|
-						 (p->hl[0]<<16)|
-						 (p->hl[3]<<8)|
-						 (p->hl[2]));
+				offset = lhs;
 			if (m->in_op & FILE_OPINVERSE)
 				offset = ~offset;
 			break;
 		case FILE_LONG:
-			if (nbytes < (offset + 4))
+			if (OFFSET_OOB(nbytes, offset, 4))
 				return 0;
 			if (off) {
 				switch (m->in_op & FILE_OPS_MASK) {
@@ -1570,14 +1441,14 @@ mget(struct magic_set *ms, const unsigned char *s,
 	/* Verify we have enough data to match magic type */
 	switch (m->type) {
 	case FILE_BYTE:
-		if (nbytes < (offset + 1)) /* should alway be true */
+		if (OFFSET_OOB(nbytes, offset, 1))
 			return 0;
 		break;
 
 	case FILE_SHORT:
 	case FILE_BESHORT:
 	case FILE_LESHORT:
-		if (nbytes < (offset + 2))
+		if (OFFSET_OOB(nbytes, offset, 2))
 			return 0;
 		break;
 
@@ -1596,26 +1467,26 @@ mget(struct magic_set *ms, const unsigned char *s,
 	case FILE_FLOAT:
 	case FILE_BEFLOAT:
 	case FILE_LEFLOAT:
-		if (nbytes < (offset + 4))
+		if (OFFSET_OOB(nbytes, offset, 4))
 			return 0;
 		break;
 
 	case FILE_DOUBLE:
 	case FILE_BEDOUBLE:
 	case FILE_LEDOUBLE:
-		if (nbytes < (offset + 8))
+		if (OFFSET_OOB(nbytes, offset, 8))
 			return 0;
 		break;
 
 	case FILE_STRING:
 	case FILE_PSTRING:
 	case FILE_SEARCH:
-		if (nbytes < (offset + m->vallen))
+		if (OFFSET_OOB(nbytes, offset, m->vallen))
 			return 0;
 		break;
 
 	case FILE_REGEX:
-		if (nbytes < offset)
+		if (nbytes < offset)
 			return 0;
 		break;
 
@@ -1623,7 +1494,7 @@ mget(struct magic_set *ms, const unsigned char *s,
 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
 		    file_printf(ms, m->desc) == -1)
 			return -1;
-		if (nbytes < offset)
+		if (nbytes < offset)
 			return 0;
 		return file_softmagic(ms, s + offset, nbytes - offset,
 		    BINTEST);
Commit	Line	Data
6e15a154 ER	1	diff --git a/src/softmagic.c b/src/softmagic.c
	2	index 1f02fec..58a1cf7 100644
	3	--- a/ext/fileinfo/libmagic/softmagic.c
	4	+++ b/ext/fileinfo/libmagic/softmagic.c
	5	@@ -87,6 +87,7 @@ private void cvt_16(union VALUETYPE , const struct magic );
	6	private void cvt_32(union VALUETYPE , const struct magic );
	7	private void cvt_64(union VALUETYPE , const struct magic );
	8
	9	+#define OFFSET_OOB(n, o, i) ((n) < (o) \|\| (i) > ((n) - (o)))
	10	/*
	11	* softmagic - lookup one file in parsed, in-memory copy of database
	12	* Passed the name and FILE * of one file to be typed.
	13	@@ -1065,6 +1066,7 @@ mget(struct magic_set ms, const unsigned char s,
	14	{
	15	uint32_t offset = ms->offset;
	16	uint32_t count = m->str_range;
	17	+ uint32_t lhs;
	18	union VALUETYPE *p = &ms->ms_value;
	19
	20	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
	21	@@ -1116,7 +1118,7 @@ mget(struct magic_set ms, const unsigned char s,
	22	}
	23	switch (m->in_type) {
	24	case FILE_BYTE:
	25	- if (nbytes < (offset + 1))
	26	+ if (OFFSET_OOB(nbytes, offset, 1))
	27	return 0;
	28	if (off) {
	29	switch (m->in_op & FILE_OPS_MASK) {
	30	@@ -1151,111 +1153,79 @@ mget(struct magic_set ms, const unsigned char s,
	31	offset = ~offset;
	32	break;
	33	case FILE_BESHORT:
	34	- if (nbytes < (offset + 2))
	35	+ if (OFFSET_OOB(nbytes, offset, 2))
	36	return 0;
	37	+ lhs = (p->hs[0] << 8) \| p->hs[1];
	38	if (off) {
	39	switch (m->in_op & FILE_OPS_MASK) {
	40	case FILE_OPAND:
	41	- offset = (short)((p->hs[0]<<8)\|
	42	- (p->hs[1])) &
	43	- off;
	44	+ offset = lhs & off;
	45	break;
	46	case FILE_OPOR:
	47	- offset = (short)((p->hs[0]<<8)\|
	48	- (p->hs[1])) \|
	49	- off;
	50	+ offset = lhs \| off;
	51	break;
	52	case FILE_OPXOR:
	53	- offset = (short)((p->hs[0]<<8)\|
	54	- (p->hs[1])) ^
	55	- off;
	56	+ offset = lhs ^ off;
	57	break;
	58	case FILE_OPADD:
	59	- offset = (short)((p->hs[0]<<8)\|
	60	- (p->hs[1])) +
	61	- off;
	62	+ offset = lhs + off;
	63	break;
	64	case FILE_OPMINUS:
65	- offset = (short)((p->hs[0]<<8)\|
66	- (p->hs[1])) -
67	- off;
68	+ offset = lhs - off;
69	break;
70	case FILE_OPMULTIPLY:
71	- offset = (short)((p->hs[0]<<8)\|
72	- (p->hs[1])) *
73	- off;
74	+ offset = lhs * off;
75	break;
76	case FILE_OPDIVIDE:
77	- offset = (short)((p->hs[0]<<8)\|
78	- (p->hs[1])) /
79	- off;
80	+ offset = lhs / off;
81	break;
82	case FILE_OPMODULO:
83	- offset = (short)((p->hs[0]<<8)\|
84	- (p->hs[1])) %
85	- off;
86	+ offset = lhs % off;
87	break;
88	}
89	} else
90	- offset = (short)((p->hs[0]<<8)\|
91	- (p->hs[1]));
92	+ offset = lhs;
93	if (m->in_op & FILE_OPINVERSE)
94	offset = ~offset;
95	break;
96	case FILE_LESHORT:
97	- if (nbytes < (offset + 2))
98	+ if (OFFSET_OOB(nbytes, offset, 2))
99	return 0;
100	+ lhs = (p->hs[1] << 8) \| p->hs[0];
101	if (off) {
102	switch (m->in_op & FILE_OPS_MASK) {
103	case FILE_OPAND:
104	- offset = (short)((p->hs[1]<<8)\|
105	- (p->hs[0])) &
106	- off;
107	+ offset = lhs & off;
108	break;
109	case FILE_OPOR:
110	- offset = (short)((p->hs[1]<<8)\|
111	- (p->hs[0])) \|
112	- off;
113	+ offset = lhs \| off;
114	break;
115	case FILE_OPXOR:
116	- offset = (short)((p->hs[1]<<8)\|
117	- (p->hs[0])) ^
118	- off;
119	+ offset = lhs ^ off;
120	break;
121	case FILE_OPADD:
122	- offset = (short)((p->hs[1]<<8)\|
123	- (p->hs[0])) +
124	- off;
125	+ offset = lhs + off;
126	break;
127	case FILE_OPMINUS:
128	- offset = (short)((p->hs[1]<<8)\|
129	- (p->hs[0])) -
130	- off;
131	+ offset = lhs - off;
132	break;
133	case FILE_OPMULTIPLY:
134	- offset = (short)((p->hs[1]<<8)\|
135	- (p->hs[0])) *
136	- off;
137	+ offset = lhs * off;
138	break;
139	case FILE_OPDIVIDE:
140	- offset = (short)((p->hs[1]<<8)\|
141	- (p->hs[0])) /
142	- off;
143	+ offset = lhs / off;
144	break;
145	case FILE_OPMODULO:
146	- offset = (short)((p->hs[1]<<8)\|
147	- (p->hs[0])) %
148	- off;
149	+ offset = lhs % off;
150	break;
151	}
152	} else
153	- offset = (short)((p->hs[1]<<8)\|
154	- (p->hs[0]));
155	+ offset = lhs;
156	if (m->in_op & FILE_OPINVERSE)
157	offset = ~offset;
158	break;
159	case FILE_SHORT:
160	- if (nbytes < (offset + 2))
161	+ if (OFFSET_OOB(nbytes, offset, 2))
162	return 0;
163	if (off) {
164	switch (m->in_op & FILE_OPS_MASK) {
165	@@ -1292,218 +1262,119 @@ mget(struct magic_set ms, const unsigned char s,
166	break;
167	case FILE_BELONG:
168	case FILE_BEID3:
169	- if (nbytes < (offset + 4))
170	+ if (OFFSET_OOB(nbytes, offset, 4))
171	return 0;
172	+ lhs = (p->hl[0] << 24) \| (p->hl[1] << 16) \|
173	+ (p->hl[2] << 8) \| p->hl[3];
174	if (off) {
175	switch (m->in_op & FILE_OPS_MASK) {
176	case FILE_OPAND:
177	- offset = (int32_t)((p->hl[0]<<24)\|
178	- (p->hl[1]<<16)\|
179	- (p->hl[2]<<8)\|
180	- (p->hl[3])) &
181	- off;
182	+ offset = lhs & off;
183	break;
184	case FILE_OPOR:
185	- offset = (int32_t)((p->hl[0]<<24)\|
186	- (p->hl[1]<<16)\|
187	- (p->hl[2]<<8)\|
188	- (p->hl[3])) \|
189	- off;
190	+ offset = lhs \| off;
191	break;
192	case FILE_OPXOR:
193	- offset = (int32_t)((p->hl[0]<<24)\|
194	- (p->hl[1]<<16)\|
195	- (p->hl[2]<<8)\|
196	- (p->hl[3])) ^
197	- off;
198	+ offset = lhs ^ off;
199	break;
200	case FILE_OPADD:
201	- offset = (int32_t)((p->hl[0]<<24)\|
202	- (p->hl[1]<<16)\|
203	- (p->hl[2]<<8)\|
204	- (p->hl[3])) +
205	- off;
206	+ offset = lhs + off;
207	break;
208	case FILE_OPMINUS:
209	- offset = (int32_t)((p->hl[0]<<24)\|
210	- (p->hl[1]<<16)\|
211	- (p->hl[2]<<8)\|
212	- (p->hl[3])) -
213	- off;
214	+ offset = lhs - off;
215	break;
216	case FILE_OPMULTIPLY:
217	- offset = (int32_t)((p->hl[0]<<24)\|
218	- (p->hl[1]<<16)\|
219	- (p->hl[2]<<8)\|
220	- (p->hl[3])) *
221	- off;
222	+ offset = lhs * off;
223	break;
224	case FILE_OPDIVIDE:
225	- offset = (int32_t)((p->hl[0]<<24)\|
226	- (p->hl[1]<<16)\|
227	- (p->hl[2]<<8)\|
228	- (p->hl[3])) /
229	- off;
230	+ offset = lhs / off;
231	break;
232	case FILE_OPMODULO:
233	- offset = (int32_t)((p->hl[0]<<24)\|
234	- (p->hl[1]<<16)\|
235	- (p->hl[2]<<8)\|
236	- (p->hl[3])) %
237	- off;
238	+ offset = lhs % off;
239	break;
240	}
241	} else
242	- offset = (int32_t)((p->hl[0]<<24)\|
243	- (p->hl[1]<<16)\|
244	- (p->hl[2]<<8)\|
245	- (p->hl[3]));
246	+ offset = lhs;
247	if (m->in_op & FILE_OPINVERSE)
248	offset = ~offset;
249	break;
250	case FILE_LELONG:
251	case FILE_LEID3:
252	- if (nbytes < (offset + 4))
253	+ if (OFFSET_OOB(nbytes, offset, 4))
254	return 0;
255	+ lhs = (p->hl[3] << 24) \| (p->hl[2] << 16) \|
256	+ (p->hl[1] << 8) \| p->hl[0];
257	if (off) {
258	switch (m->in_op & FILE_OPS_MASK) {
259	case FILE_OPAND:
260	- offset = (int32_t)((p->hl[3]<<24)\|
261	- (p->hl[2]<<16)\|
262	- (p->hl[1]<<8)\|
263	- (p->hl[0])) &
264	- off;
265	+ offset = lhs & off;
266	break;
267	case FILE_OPOR:
268	- offset = (int32_t)((p->hl[3]<<24)\|
269	- (p->hl[2]<<16)\|
270	- (p->hl[1]<<8)\|
271	- (p->hl[0])) \|
272	- off;
273	+ offset = lhs \| off;
274	break;
275	case FILE_OPXOR:
276	- offset = (int32_t)((p->hl[3]<<24)\|
277	- (p->hl[2]<<16)\|
278	- (p->hl[1]<<8)\|
279	- (p->hl[0])) ^
280	- off;
281	+ offset = lhs ^ off;
282	break;
283	case FILE_OPADD:
284	- offset = (int32_t)((p->hl[3]<<24)\|
285	- (p->hl[2]<<16)\|
286	- (p->hl[1]<<8)\|
287	- (p->hl[0])) +
288	- off;
289	+ offset = lhs + off;
290	break;
291	case FILE_OPMINUS:
292	- offset = (int32_t)((p->hl[3]<<24)\|
293	- (p->hl[2]<<16)\|
294	- (p->hl[1]<<8)\|
295	- (p->hl[0])) -
296	- off;
297	+ offset = lhs - off;
298	break;
299	case FILE_OPMULTIPLY:
300	- offset = (int32_t)((p->hl[3]<<24)\|
301	- (p->hl[2]<<16)\|
302	- (p->hl[1]<<8)\|
303	- (p->hl[0])) *
304	- off;
305	+ offset = lhs * off;
306	break;
307	case FILE_OPDIVIDE:
308	- offset = (int32_t)((p->hl[3]<<24)\|
309	- (p->hl[2]<<16)\|
310	- (p->hl[1]<<8)\|
311	- (p->hl[0])) /
312	- off;
313	+ offset = lhs / off;
314	break;
315	case FILE_OPMODULO:
316	- offset = (int32_t)((p->hl[3]<<24)\|
317	- (p->hl[2]<<16)\|
318	- (p->hl[1]<<8)\|
319	- (p->hl[0])) %
320	- off;
321	+ offset = lhs % off;
322	break;
323	}
324	} else
325	- offset = (int32_t)((p->hl[3]<<24)\|
326	- (p->hl[2]<<16)\|
327	- (p->hl[1]<<8)\|
328	- (p->hl[0]));
329	+ offset = lhs;
330	if (m->in_op & FILE_OPINVERSE)
331	offset = ~offset;
332	break;
333	case FILE_MELONG:
334	- if (nbytes < (offset + 4))
335	+ if (OFFSET_OOB(nbytes, offset, 4))
336	return 0;
337	+ lhs = (p->hl[1] << 24) \| (p->hl[0] << 16) \|
338	+ (p->hl[3] << 8) \| p->hl[2];
339	if (off) {
340	switch (m->in_op & FILE_OPS_MASK) {
341	case FILE_OPAND:
342	- offset = (int32_t)((p->hl[1]<<24)\|
343	- (p->hl[0]<<16)\|
344	- (p->hl[3]<<8)\|
345	- (p->hl[2])) &
346	- off;
347	+ offset = lhs & off;
348	break;
349	case FILE_OPOR:
350	- offset = (int32_t)((p->hl[1]<<24)\|
351	- (p->hl[0]<<16)\|
352	- (p->hl[3]<<8)\|
353	- (p->hl[2])) \|
354	- off;
355	+ offset = lhs \| off;
356	break;
357	case FILE_OPXOR:
358	- offset = (int32_t)((p->hl[1]<<24)\|
359	- (p->hl[0]<<16)\|
360	- (p->hl[3]<<8)\|
361	- (p->hl[2])) ^
362	- off;
363	+ offset = lhs ^ off;
364	break;
365	case FILE_OPADD:
366	- offset = (int32_t)((p->hl[1]<<24)\|
367	- (p->hl[0]<<16)\|
368	- (p->hl[3]<<8)\|
369	- (p->hl[2])) +
370	- off;
371	+ offset = lhs + off;
372	break;
373	case FILE_OPMINUS:
374	- offset = (int32_t)((p->hl[1]<<24)\|
375	- (p->hl[0]<<16)\|
376	- (p->hl[3]<<8)\|
377	- (p->hl[2])) -
378	- off;
379	+ offset = lhs - off;
380	break;
381	case FILE_OPMULTIPLY:
382	- offset = (int32_t)((p->hl[1]<<24)\|
383	- (p->hl[0]<<16)\|
384	- (p->hl[3]<<8)\|
385	- (p->hl[2])) *
386	- off;
387	+ offset = lhs * off;
388	break;
389	case FILE_OPDIVIDE:
390	- offset = (int32_t)((p->hl[1]<<24)\|
391	- (p->hl[0]<<16)\|
392	- (p->hl[3]<<8)\|
393	- (p->hl[2])) /
394	- off;
395	+ offset = lhs / off;
396	break;
397	case FILE_OPMODULO:
398	- offset = (int32_t)((p->hl[1]<<24)\|
399	- (p->hl[0]<<16)\|
400	- (p->hl[3]<<8)\|
401	- (p->hl[2])) %
402	- off;
403	+ offset = lhs % off;
404	break;
405	}
406	} else
407	- offset = (int32_t)((p->hl[1]<<24)\|
408	- (p->hl[0]<<16)\|
409	- (p->hl[3]<<8)\|
410	- (p->hl[2]));
411	+ offset = lhs;
412	if (m->in_op & FILE_OPINVERSE)
413	offset = ~offset;
414	break;
415	case FILE_LONG:
416	- if (nbytes < (offset + 4))
417	+ if (OFFSET_OOB(nbytes, offset, 4))
418	return 0;
419	if (off) {
420	switch (m->in_op & FILE_OPS_MASK) {
421	@@ -1570,14 +1441,14 @@ mget(struct magic_set ms, const unsigned char s,
422	/* Verify we have enough data to match magic type */
423	switch (m->type) {
424	case FILE_BYTE:
425	- if (nbytes < (offset + 1)) /* should alway be true */
426	+ if (OFFSET_OOB(nbytes, offset, 1))
427	return 0;
428	break;
429
430	case FILE_SHORT:
431	case FILE_BESHORT:
432	case FILE_LESHORT:
433	- if (nbytes < (offset + 2))
434	+ if (OFFSET_OOB(nbytes, offset, 2))
435	return 0;
436	break;
437
438	@@ -1596,26 +1467,26 @@ mget(struct magic_set ms, const unsigned char s,
439	case FILE_FLOAT:
440	case FILE_BEFLOAT:
441	case FILE_LEFLOAT:
442	- if (nbytes < (offset + 4))
443	+ if (OFFSET_OOB(nbytes, offset, 4))
444	return 0;
445	break;
446
447	case FILE_DOUBLE:
448	case FILE_BEDOUBLE:
449	case FILE_LEDOUBLE:
450	- if (nbytes < (offset + 8))
451	+ if (OFFSET_OOB(nbytes, offset, 8))
452	return 0;
453	break;
454
455	case FILE_STRING:
456	case FILE_PSTRING:
457	case FILE_SEARCH:
458	- if (nbytes < (offset + m->vallen))
459	+ if (OFFSET_OOB(nbytes, offset, m->vallen))
460	return 0;
461	break;
462
463	case FILE_REGEX:
464	- if (nbytes < offset)
465	+ if (nbytes < offset)
466	return 0;
467	break;
468
469	@@ -1623,7 +1494,7 @@ mget(struct magic_set ms, const unsigned char s,
470	if ((ms->flags & (MAGIC_MIME\|MAGIC_APPLE)) == 0 &&
471	file_printf(ms, m->desc) == -1)
472	return -1;
473	- if (nbytes < offset)
474	+ if (nbytes < offset)
475	return 0;
476	return file_softmagic(ms, s + offset, nbytes - offset,
477	BINTEST);