pkgs/raven-rhel6
1
0
Fork 0
Code Issues Pull Requests Wiki Activity
eebc4575bd
raven-rhel6/isp-php54/bug71527.patch
Raven 8e3477b473 first commit
2024-02-21 20:14:44 +06:00

87 lines
3.0 KiB
Diff
Raw Blame History

Backported from 5.5 for 5.4 by Remi Collet
From fe13566c93f118a15a96320a546c7878fd0cfc5e Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Mon, 28 Mar 2016 00:45:19 +0200
Subject: [PATCH] Fixed bug #71527 Buffer over-write in finfo_open with
malformed magic file
The actual fix is applying the upstream patch from
https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
---
ext/fileinfo/libmagic/funcs.c | 2 +-
ext/fileinfo/tests/bug71527.magic | 1 +
ext/fileinfo/tests/bug71527.phpt | 19 +++++++++++++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
create mode 100644 ext/fileinfo/tests/bug71527.magic
create mode 100644 ext/fileinfo/tests/bug71527.phpt
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
index 011ca42..def2f7b 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
size_t len;
if (level >= ms->c.len) {
- len = (ms->c.len += 20) * sizeof(*ms->c.li);
+ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
emalloc(len) :
erealloc(ms->c.li, len));
diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic
new file mode 100644
index 0000000..14d7781
--- /dev/null
+++ b/ext/fileinfo/tests/bug71527.magic
@@ -0,0 +1 @@
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
\ No newline at end of file
diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt
new file mode 100644
index 0000000..f5b1d86
--- /dev/null
+++ b/ext/fileinfo/tests/bug71527.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #71527 Buffer over-write in finfo_open with malformed magic file
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+ die('skip no fileinfo extension');
+--ENV--
+USE_ZEND_ALLOC=0
+--FILE--
+<?php
+ $finfo = finfo_open(FILEINFO_NONE, dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug71527.magic");
+ $info = finfo_file($finfo, __FILE__);
+ var_dump($info);
+?>
+--EXPECTF--
+Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d
+
+Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d
+bool(false)
From 4b0b1cec00d5c261a5eb4032862da917f93e87b7 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Thu, 31 Mar 2016 01:33:38 +0200
Subject: [PATCH] fix borked mainstream patch
---
ext/fileinfo/libmagic/funcs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
index def2f7b..b976ac9 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
size_t len;
if (level >= ms->c.len) {
- len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
+ len = (ms->c.len = 20 + level) * sizeof(*ms->c.li);
ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
emalloc(len) :
erealloc(ms->c.li, len));
Reference in New Issue View Git Blame Copy Permalink