diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-10-28 20:47:30 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-10-28 20:47:30 -0700 |
| commit | 2bdb13a1f776fccf89506d63eb71e950df96c21e (patch) | |
| tree | 23e1ecb52426becc45cd08620aec42ee11ecb82e | |
| parent | 89c327f8848c1a56a61479ee5e7fdd3694d0f867 (diff) | |
| parent | 469820048df558040f6dec7c39471ad11e2a7cfb (diff) | |
| download | php-git-2bdb13a1f776fccf89506d63eb71e950df96c21e.tar.gz | |
Merge branch 'PHP-7.1' into PHP-7.2
* PHP-7.1:
Fix libmagic buffer overflow issue (CVE-2019-18218)
bump version
set versions for release
| -rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 7 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/cdf.h | 1 |
2 files changed, 4 insertions, 4 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 806f7f9526..47624eb4a8 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -1011,8 +1011,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; } nelements = CDF_GETUINT32(q, 1); - if (nelements == 0) { - DPRINTF(("CDF_VECTOR with nelements == 0\n")); + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == %" + SIZE_T_FORMAT "u\n", nelements)); goto out; } slen = 2; @@ -1054,8 +1055,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; inp += nelem; } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h index f5d0790719..a76ac41d7f 100644 --- a/ext/fileinfo/libmagic/cdf.h +++ b/ext/fileinfo/libmagic/cdf.h @@ -50,6 +50,7 @@ typedef int32_t cdf_secid_t; #define CDF_LOOP_LIMIT 10000 +#define CDF_ELEMENT_LIMIT 100000 #define CDF_SECID_NULL 0 #define CDF_SECID_FREE -1 |