Fixed Bug #66987 Memory corruption in fileinfo ext (bigendian)

On little endian: map->p == php_magic_database map->magic[i] = pointer into the map map->p == NULL map->magic[i] = pointer to allocated memory On big endian (ppc64, s390x, ...): map->p != php_magic_database and map->p != NULL map->magic[i] = pointer into a copy of the map Trying to efree pointer in the later cause memory corruption Thanks to dkatulek / Red Hat for the report.
author: Remi Collet <remi@php.net> 2014-03-31 16:50:47 +0200
committer: Remi Collet <remi@php.net> 2014-03-31 16:50:47 +0200
commit: 2c204a55af9b903b3db48dd5a75d492dbf1b387d (patch)
tree: a96ad2d8a4719998781e55d8486175dc5cdca4ae
parent: 1283722589a8cccd6c49aa9d9c78edeec43f094e (diff)
download: php-git-2c204a55af9b903b3db48dd5a75d492dbf1b387d.tar.gz
1 files changed, 8 insertions, 6 deletions
diff --git a/ext/fileinfo/libmagic/apprentice.c b/ext/fileinfo/libmagic/apprentice.c
index 11920e6589..fd82564bff 100644
--- a/ext/fileinfo/libmagic/apprentice.c
+++ b/ext/fileinfo/libmagic/apprentice.c
@@ -493,12 +493,14 @@ apprentice_unmap(struct magic_map *map)
 	if (map == NULL)
 		return;
 	if (map->p != php_magic_database) {
-		int j;
-		for (j = 0; j < MAGIC_SETS; j++) {
-			if (map->magic[j])
-				efree(map->magic[j]);
-		}
-		if (map->p != NULL) {
+		if (map->p == NULL) {
+			int j;
+			for (j = 0; j < MAGIC_SETS; j++) {
+				if (map->magic[j]) {
+					efree(map->magic[j]);
+				}
+			}
+		} else {
 			efree(map->p);
 		}
 	}
author	Remi Collet <remi@php.net>	2014-03-31 16:50:47 +0200
committer	Remi Collet <remi@php.net>	2014-03-31 16:50:47 +0200
commit	2c204a55af9b903b3db48dd5a75d492dbf1b387d (patch)
tree	a96ad2d8a4719998781e55d8486175dc5cdca4ae
parent	1283722589a8cccd6c49aa9d9c78edeec43f094e (diff)
download	php-git-2c204a55af9b903b3db48dd5a75d492dbf1b387d.tar.gz