Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5: NEWS Fix bug #68283: fileinfo: out-of-bounds read in elf note headers
author: Remi Collet <remi@php.net> 2014-10-25 11:30:29 +0200
committer: Remi Collet <remi@php.net> 2014-10-25 11:30:29 +0200
commit: cefa310cf9adad596e7e0122dd07352fe36affa0 (patch)
tree: 28c4520d87a8302b200ed1a10e3176b000215158
parent: c03ac47bafd0ea55055a2f3d4de0bc6bb4d98d8d (diff)
parent: ec3d25fcbda6109c4ae353b768d59e25af854712 (diff)
download: php-git-cefa310cf9adad596e7e0122dd07352fe36affa0.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/ext/fileinfo/libmagic/readelf.c b/ext/fileinfo/libmagic/readelf.c
index 6f776721b0..4620711e8e 100644
--- a/ext/fileinfo/libmagic/readelf.c
+++ b/ext/fileinfo/libmagic/readelf.c
@@ -492,6 +492,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size,
 	uint32_t namesz, descsz;
 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
 
+	if (xnh_sizeof + offset > size) {
+		/*
+		 * We're out of note headers.
+		 */
+		return xnh_sizeof + offset;
+	}
+
 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
 	offset += xnh_sizeof;
author	Remi Collet <remi@php.net>	2014-10-25 11:30:29 +0200
committer	Remi Collet <remi@php.net>	2014-10-25 11:30:29 +0200
commit	cefa310cf9adad596e7e0122dd07352fe36affa0 (patch)
tree	28c4520d87a8302b200ed1a10e3176b000215158
parent	c03ac47bafd0ea55055a2f3d4de0bc6bb4d98d8d (diff)
parent	ec3d25fcbda6109c4ae353b768d59e25af854712 (diff)
download	php-git-cefa310cf9adad596e7e0122dd07352fe36affa0.tar.gz