1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 7e0c856..e7b7855 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
size_t sz = file_pstring_length_size(m);
char *ptr1 = p->s, *ptr2 = ptr1 + sz;
size_t len = file_pstring_get_length(m, ptr1);
- if (len >= sizeof(p->s)) {
+ sz = sizeof(p->s) - sz; /* maximum length of string */
+ if (len >= sz) {
/*
* The size of the pascal string length (sz)
* is 1, 2, or 4. We need at least 1 byte for NUL
* termination, but we've already truncated the
* string by p->s, so we need to deduct sz.
+ * Because we can use one of the bytes of the length
+ * after we shifted as NUL termination.
*/
- len = sizeof(p->s) - sz;
+ len = sz;
}
while (len--)
*ptr1++ = *ptr2++;
--- /dev/null Sat Jan 3 19:01:50 2015
+++ a/ext/fileinfo/tests/bug68735.phpt Sat Jan 3 18:57:32 2015
@@ -0,0 +1,16 @@
+--TEST--
+Bug #68735 fileinfo out-of-bounds memory access
+--SKIPIF--
+<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
+--FILE--
+<?php
+ $test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg";
+ $f = new finfo;
+
+ var_dump($f->file($test_file));
+
+?>
+===DONE===
+--EXPECTF--
+string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S""
+===DONE===
|
