File: CVE-2014-0238.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (33 lines) | stat: -rw-r--r-- 1,120 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
    Author: Janek Walkenhorst <walkenhorst@univention.de>

    CVE-2014-0238.patch

    CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
    of properties from accessing random memory.

Index: php5-5.3.3/ext/fileinfo/libmagic/cdf.c
===================================================================
--- php5-5.3.3.orig/ext/fileinfo/libmagic/cdf.c	2015-01-21 08:48:18.000000000 +0100
+++ php5-5.3.3/ext/fileinfo/libmagic/cdf.c	2015-01-21 08:50:08.000000000 +0100
@@ -769,6 +769,10 @@
 		    inp[i].pi_type, (const char *)q - (const char *)p));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_TOLE4(q[1]);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -824,7 +828,9 @@
 				inp = *info + nelem;
 			}
 			DPRINTF(("nelements = %d\n", nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties;
+			    j++, i++)
+			{
 				uint32_t l = CDF_TOLE4(q[o]);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)(&q[o+1]);