Author: Janek Walkenhorst <walkenhorst@univention.de>

    CVE-2014-0238.patch

    CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
    of properties from accessing random memory.

Index: php5-5.3.3/ext/fileinfo/libmagic/cdf.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/cdf.c	2015-01-21 08:48:18.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/cdf.c	2015-01-21 08:50:08.000000000 +0100
@@ -769,6 +769,10 @@
 		    inp[i].pi_type, (const char *)q - (const char *)p));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_TOLE4(q[1]);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -824,7 +828,9 @@
 				inp = *info + nelem;
 			}
 			DPRINTF(("nelements = %d\n", nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties;
+			    j++, i++)
+			{
 				uint32_t l = CDF_TOLE4(q[o]);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)(&q[o+1]);