diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-03-02 15:26:59 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2020-03-16 22:40:48 -0700 |
commit | aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8 (patch) | |
tree | 76d8a639d78f21de7af57e3d3bf22b9ed4e22e68 /ext/fileinfo/libmagic | |
parent | db848e1482c1871d8b2a4185f0c6ac261069e4bd (diff) | |
download | php-git-aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8.tar.gz |
Fix #79283: Segfault in libmagic patch contains a buffer overflow
To solve this, we properly calculate the required string length upfront
instead of allocating an oversized string (`len * 4 + 4`).
Diffstat (limited to 'ext/fileinfo/libmagic')
-rw-r--r-- | ext/fileinfo/libmagic/softmagic.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index 2b6d764291..d71801cea5 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags) public void convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options) { - int i, j=0; + int i, j; zend_string *t; - t = zend_string_alloc(len * 2 + 4, 0); + for (i = j = 0; i < len; i++) { + switch (val[i]) { + case '~': + j += 2; + break; + case '\0': + j += 4; + break; + default: + j++; + break; + } + } + t = zend_string_alloc(j + 4, 0); + j = 0; ZSTR_VAL(t)[j++] = '~'; for (i = 0; i < len; i++, j++) { |