diff options
author | Stanislav Malyshev <stas@php.net> | 2019-10-28 20:47:44 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-10-28 20:47:44 -0700 |
commit | 8c2b3b056857a1d3c049f7adacf082a0941bfa62 (patch) | |
tree | 904ba7302c3823e1012b851b8dc974c2799f211e | |
parent | 736cd93ef53a458dbe5b86cab1f61721ccbc8b2d (diff) | |
parent | 2bdb13a1f776fccf89506d63eb71e950df96c21e (diff) | |
download | php-git-8c2b3b056857a1d3c049f7adacf082a0941bfa62.tar.gz |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fix libmagic buffer overflow issue (CVE-2019-18218)
bump version
set versions for release
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 7 | ||||
-rw-r--r-- | ext/fileinfo/libmagic/cdf.h | 1 |
2 files changed, 4 insertions, 4 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 050bf637bf..4237c7b674 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -989,8 +989,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; } nelements = CDF_GETUINT32(q, 1); - if (nelements == 0) { - DPRINTF(("CDF_VECTOR with nelements == 0\n")); + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == %" + SIZE_T_FORMAT "u\n", nelements)); goto out; } slen = 2; @@ -1032,8 +1033,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; inp += nelem; } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h index c156d6e06a..ed0e2eb01b 100644 --- a/ext/fileinfo/libmagic/cdf.h +++ b/ext/fileinfo/libmagic/cdf.h @@ -48,6 +48,7 @@ typedef int32_t cdf_secid_t; #define CDF_LOOP_LIMIT 10000 +#define CDF_ELEMENT_LIMIT 100000 #define CDF_SECID_NULL 0 #define CDF_SECID_FREE -1 |