file/debian/patches/CVE-2014-0207.patch

made apply cleanly based on, removed all modifications to src/readcdf.c (for CVE-2012-1571) as the problematic code was introduced later.

commit 6d209c1c489457397a5763bca4b28e43aac90391
Author: Christos Zoulas <christos@zoulas.com>
Date:   Mon May 5 16:11:21 2014 +0000

    Apply patches from file-CVE-2012-1571.patch
    From Francisco Alonso Espejo:
        file < 5.18/git version can be made to crash when checking some
        corrupt CDF files (Using an invalid cdf_read_short_sector size)
        The problem I found here, is that in most situations (if
        h_short_sec_size_p2 > 8) because the blocksize is 512 and normal
        values are 06 which means reading 64 bytes.As long as the check
        for the block size copy is not checked properly (there's an assert
        that makes wrong/invalid assumptions)

diff --git a/src/cdf.c b/src/cdf.c
index 2573a5f..f7c46ae 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -355,10 +355,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
 	size_t ss = CDF_SHORT_SEC_SIZE(h);
 	size_t pos = CDF_SHORT_SEC_POS(h, id);
 	assert(ss == len);
-	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
 		    SIZE_T_FORMAT "u\n",
-		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
+		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
 		return -1;
 	}
 	(void)memcpy(((char *)buf) + offs,