diff options
author | Stanislav Malyshev <stas@php.net> | 2019-10-27 16:30:38 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-10-27 16:30:38 -0700 |
commit | 469820048df558040f6dec7c39471ad11e2a7cfb (patch) | |
tree | 5fa23c4baba70b4e0666d47c955c9b1d137f8c2d | |
parent | 52f049879a1f29bcef432ac1a1d77c84ebaa6c7b (diff) | |
download | php-git-469820048df558040f6dec7c39471ad11e2a7cfb.tar.gz |
Fix libmagic buffer overflow issue (CVE-2019-18218)
Ported from https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 7 | ||||
-rw-r--r-- | ext/fileinfo/libmagic/cdf.h | 1 |
2 files changed, 4 insertions, 4 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 28084fbe44..01af1e4eda 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -872,8 +872,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_GETUINT32(q, 1); - if (nelements == 0) { - DPRINTF(("CDF_VECTOR with nelements == 0\n")); + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == %" + SIZE_T_FORMAT "u\n", nelements)); goto out; } o = 2; @@ -948,8 +949,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, *info = inp; inp = *info + nelem; } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h index 9006a686ef..6ad5bceb75 100644 --- a/ext/fileinfo/libmagic/cdf.h +++ b/ext/fileinfo/libmagic/cdf.h @@ -50,6 +50,7 @@ typedef int32_t cdf_secid_t; #define CDF_LOOP_LIMIT 10000 +#define CDF_ELEMENT_LIMIT 100000 #define CDF_SECID_NULL 0 #define CDF_SECID_FREE -1 |