Fix #79283: Segfault in libmagic patch contains a buffer overflow

To solve this, we properly calculate the required string length upfront instead of allocating an oversized string (`len * 4 + 4`).
author: Christoph M. Becker <cmbecker69@gmx.de> 2020-03-02 15:26:59 +0100
committer: Stanislav Malyshev <stas@php.net> 2020-03-16 22:40:48 -0700
commit: aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8 (patch)
tree: 76d8a639d78f21de7af57e3d3bf22b9ed4e22e68 /ext/fileinfo/libmagic
parent: db848e1482c1871d8b2a4185f0c6ac261069e4bd (diff)
download: php-git-aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8.tar.gz
1 files changed, 16 insertions, 2 deletions
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 2b6d764291..d71801cea5 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags)
 public void
 convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
 {
-	int i, j=0;
+	int i, j;
 	zend_string *t;
 
-	t = zend_string_alloc(len * 2 + 4, 0);
+	for (i = j = 0; i < len; i++) {
+		switch (val[i]) {
+			case '~':
+				j += 2;
+				break;
+			case '\0':
+				j += 4;
+				break;
+			default:
+				j++;
+				break;
+		}
+	}
+	t = zend_string_alloc(j + 4, 0);
 
+	j = 0;
 	ZSTR_VAL(t)[j++] = '~';
 
 	for (i = 0; i < len; i++, j++) {
author	Christoph M. Becker <cmbecker69@gmx.de>	2020-03-02 15:26:59 +0100
committer	Stanislav Malyshev <stas@php.net>	2020-03-16 22:40:48 -0700
commit	aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8 (patch)
tree	76d8a639d78f21de7af57e3d3bf22b9ed4e22e68 /ext/fileinfo/libmagic
parent	db848e1482c1871d8b2a4185f0c6ac261069e4bd (diff)
download	php-git-aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8.tar.gz