From: Remi Collet <remi@php.net>
Date: Wed, 22 Oct 2014 13:37:04 +0000 (+0200)
Subject: Fix bug #68283: fileinfo: out-of-bounds read in elf note headers
X-Git-Tag: php-5.4.35~10
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=1803228597e82218a8c105e67975bc50e6f5bf0d

Fix bug #68283: fileinfo: out-of-bounds read in elf note headers

Upstream commit
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0

CVE -2014-3710
---

Index: php5-5.3.3/ext/fileinfo/libmagic/readelf.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/readelf.c	2014-11-23 15:43:50.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/readelf.c	2014-11-23 15:43:50.000000000 +0100
@@ -375,6 +375,13 @@
 #endif
 	uint32_t namesz, descsz;
 
+	if (xnh_sizeof + offset > size) {
+		/*
+		 * We're out of note headers.
+		 */
+		return xnh_sizeof + offset;
+	}
+
 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
 	offset += xnh_sizeof;