Fixed bug #71527 Buffer over-write in finfo_open with malformed magic file

The actual fix is applying the upstream patch from https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
author: Anatol Belski <ab@php.net> 2016-03-28 00:45:19 +0200
committer: Anatol Belski <ab@php.net> 2016-03-29 13:10:39 +0200
commit: fe13566c93f118a15a96320a546c7878fd0cfc5e (patch)
tree: 8a05c6c014cb9b763462fb65eaa0f5ca1146edb9 /ext/fileinfo/libmagic
parent: 9c19a08b9daed6bae3071dd25742f59a59618823 (diff)
download: php-git-fe13566c93f118a15a96320a546c7878fd0cfc5e.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
index 011ca42757..def2f7b31b 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
 	size_t len;
 
 	if (level >= ms->c.len) {
-		len = (ms->c.len += 20) * sizeof(*ms->c.li);
+		len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
 		ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
 		    emalloc(len) :
 		    erealloc(ms->c.li, len));
author	Anatol Belski <ab@php.net>	2016-03-28 00:45:19 +0200
committer	Anatol Belski <ab@php.net>	2016-03-29 13:10:39 +0200
commit	fe13566c93f118a15a96320a546c7878fd0cfc5e (patch)
tree	8a05c6c014cb9b763462fb65eaa0f5ca1146edb9 /ext/fileinfo/libmagic
parent	9c19a08b9daed6bae3071dd25742f59a59618823 (diff)
download	php-git-fe13566c93f118a15a96320a546c7878fd0cfc5e.tar.gz