summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2019-10-28 20:47:30 -0700
committerStanislav Malyshev <stas@php.net>2019-10-28 20:47:30 -0700
commit2bdb13a1f776fccf89506d63eb71e950df96c21e (patch)
tree23e1ecb52426becc45cd08620aec42ee11ecb82e
parent89c327f8848c1a56a61479ee5e7fdd3694d0f867 (diff)
parent469820048df558040f6dec7c39471ad11e2a7cfb (diff)
downloadphp-git-2bdb13a1f776fccf89506d63eb71e950df96c21e.tar.gz
Merge branch 'PHP-7.1' into PHP-7.2
* PHP-7.1: Fix libmagic buffer overflow issue (CVE-2019-18218) bump version set versions for release
-rw-r--r--ext/fileinfo/libmagic/cdf.c7
-rw-r--r--ext/fileinfo/libmagic/cdf.h1
2 files changed, 4 insertions, 4 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 806f7f9526..47624eb4a8 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -1011,8 +1011,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
}
nelements = CDF_GETUINT32(q, 1);
- if (nelements == 0) {
- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+ DPRINTF(("CDF_VECTOR with nelements == %"
+ SIZE_T_FORMAT "u\n", nelements));
goto out;
}
slen = 2;
@@ -1054,8 +1055,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
inp += nelem;
}
- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
- nelements));
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{
diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h
index f5d0790719..a76ac41d7f 100644
--- a/ext/fileinfo/libmagic/cdf.h
+++ b/ext/fileinfo/libmagic/cdf.h
@@ -50,6 +50,7 @@
typedef int32_t cdf_secid_t;
#define CDF_LOOP_LIMIT 10000
+#define CDF_ELEMENT_LIMIT 100000
#define CDF_SECID_NULL 0
#define CDF_SECID_FREE -1