summaryrefslogtreecommitdiffstats
path: root/bug71527.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug71527.patch')
-rw-r--r--bug71527.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/bug71527.patch b/bug71527.patch
new file mode 100644
index 0000000..45ba6b6
--- /dev/null
+++ b/bug71527.patch
@@ -0,0 +1,64 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From fe13566c93f118a15a96320a546c7878fd0cfc5e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Mon, 28 Mar 2016 00:45:19 +0200
+Subject: [PATCH] Fixed bug #71527 Buffer over-write in finfo_open with
+ malformed magic file
+
+The actual fix is applying the upstream patch from
+https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
+---
+ ext/fileinfo/libmagic/funcs.c | 2 +-
+ ext/fileinfo/tests/bug71527.magic | 1 +
+ ext/fileinfo/tests/bug71527.phpt | 19 +++++++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/fileinfo/tests/bug71527.magic
+ create mode 100644 ext/fileinfo/tests/bug71527.phpt
+
+diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
+index 011ca42..def2f7b 100644
+--- a/ext/fileinfo/libmagic/funcs.c
++++ b/ext/fileinfo/libmagic/funcs.c
+@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
+ size_t len;
+
+ if (level >= ms->c.len) {
+- len = (ms->c.len += 20) * sizeof(*ms->c.li);
++ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
+ ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
+ emalloc(len) :
+ erealloc(ms->c.li, len));
+diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic
+new file mode 100644
+index 0000000..14d7781
+--- /dev/null
++++ b/ext/fileinfo/tests/bug71527.magic
+@@ -0,0 +1 @@
++>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+\ No newline at end of file
+diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt
+new file mode 100644
+index 0000000..f5b1d86
+--- /dev/null
++++ b/ext/fileinfo/tests/bug71527.phpt
+@@ -0,0 +1,19 @@
++--TEST--
++Bug #71527 Buffer over-write in finfo_open with malformed magic file
++--SKIPIF--
++<?php
++if (!class_exists('finfo'))
++ die('skip no fileinfo extension');
++--ENV--
++USE_ZEND_ALLOC=0
++--FILE--
++<?php
++ $finfo = finfo_open(FILEINFO_NONE, dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug71527.magic");
++ $info = finfo_file($finfo, __FILE__);
++ var_dump($info);
++?>
++--EXPECTF--
++Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d
++
++Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d
++bool(false)