Author: Janek Walkenhorst <walkenhorst@univention.de>

    CVE-2014-0237.patch

    Remove loop that kept reading the same offset (Jan Kaluza)

Index: php5-5.3.3/ext/fileinfo/libmagic/cdf.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/cdf.c	2015-01-21 08:50:19.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/cdf.c	2015-01-21 08:50:19.000000000 +0100
@@ -869,7 +869,7 @@
 cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
     cdf_property_info_t **info, size_t *count)
 {
-	size_t i, maxcount;
+	size_t maxcount;
 	const cdf_summary_info_header_t *si = sst->sst_tab;
 	const cdf_section_declaration_t *sd = (const void *)
 	    ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET);
@@ -882,20 +882,13 @@
 	ssi->si_os = CDF_TOLE2(si->si_os);
 	ssi->si_class = si->si_class;
 	cdf_swap_class(&ssi->si_class);
-	ssi->si_count = CDF_TOLE2(si->si_count);
+	ssi->si_count = CDF_TOLE4(si->si_count);
 	*count = 0;
 	maxcount = 0;
 	*info = NULL;
-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
-		if (i >= CDF_LOOP_LIMIT) {
-			DPRINTF(("Unpack summary info loop limit"));
-			errno = EFTYPE;
-			return -1;
-		}
-		if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset),
-		    info, count, &maxcount) == -1)
-			return -1;
-	}
+	if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset), info,
+	    count, &maxcount) == -1)
+		return -1;
 	return 0;
 }