diff options
author | Anatol Belski <ab@php.net> | 2016-03-28 00:45:19 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-03-29 13:10:39 +0200 |
commit | fe13566c93f118a15a96320a546c7878fd0cfc5e (patch) | |
tree | 8a05c6c014cb9b763462fb65eaa0f5ca1146edb9 /ext/fileinfo/libmagic | |
parent | 9c19a08b9daed6bae3071dd25742f59a59618823 (diff) | |
download | php-git-fe13566c93f118a15a96320a546c7878fd0cfc5e.tar.gz |
Fixed bug #71527 Buffer over-write in finfo_open with malformed magic file
The actual fix is applying the upstream patch from
https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
Diffstat (limited to 'ext/fileinfo/libmagic')
-rw-r--r-- | ext/fileinfo/libmagic/funcs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c index 011ca42757..def2f7b31b 100644 --- a/ext/fileinfo/libmagic/funcs.c +++ b/ext/fileinfo/libmagic/funcs.c @@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level) size_t len; if (level >= ms->c.len) { - len = (ms->c.len += 20) * sizeof(*ms->c.li); + len = (ms->c.len += 20 + level) * sizeof(*ms->c.li); ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ? emalloc(len) : erealloc(ms->c.li, len)); |