diff options
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/softmagic.c | 7 | ||||
| -rw-r--r-- | ext/fileinfo/tests/bug68735.jpg | bin | 0 -> 24 bytes | |||
| -rw-r--r-- | ext/fileinfo/tests/bug68735.phpt | 16 | 
4 files changed, 28 insertions, 2 deletions
| @@ -4,6 +4,13 @@ PHP                                                                        NEWS  - CGI:    . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas) +- Fileinfo: +  . Removed readelf.c and related code from libmagic sources +    (Remi, Anatol) +  . Fixed bug #68735 (fileinfo out-of-bounds memory access). +    (Anatol) + +  18 Dec 2014 PHP 5.4.36  - Core: diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index 7e0c8560e3..e7b7855eef 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)  		size_t sz = file_pstring_length_size(m);  		char *ptr1 = p->s, *ptr2 = ptr1 + sz;  		size_t len = file_pstring_get_length(m, ptr1); -		if (len >= sizeof(p->s)) { +		sz = sizeof(p->s) - sz; /* maximum length of string */ +		if (len >= sz) {  			/*  			 * The size of the pascal string length (sz)  			 * is 1, 2, or 4. We need at least 1 byte for NUL  			 * termination, but we've already truncated the  			 * string by p->s, so we need to deduct sz. +			 * Because we can use one of the bytes of the length +			 * after we shifted as NUL termination.  			 */  -			len = sizeof(p->s) - sz; +			len = sz;  		}  		while (len--)  			*ptr1++ = *ptr2++; diff --git a/ext/fileinfo/tests/bug68735.jpg b/ext/fileinfo/tests/bug68735.jpgBinary files differ new file mode 100644 index 0000000000..633bdb93ed --- /dev/null +++ b/ext/fileinfo/tests/bug68735.jpg diff --git a/ext/fileinfo/tests/bug68735.phpt b/ext/fileinfo/tests/bug68735.phpt new file mode 100644 index 0000000000..f86109cb8f --- /dev/null +++ b/ext/fileinfo/tests/bug68735.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #68735 fileinfo out-of-bounds memory access +--SKIPIF-- +<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?> +--FILE-- +<?php +	$test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg"; +	$f = new finfo; + +	var_dump($f->file($test_file)); + +?> +===DONE=== +--EXPECTF-- +string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S"" +===DONE=== | 
