summaryrefslogtreecommitdiff
path: root/ext/fileinfo
diff options
context:
space:
mode:
Diffstat (limited to 'ext/fileinfo')
-rw-r--r--ext/fileinfo/libmagic/funcs.c2
-rw-r--r--ext/fileinfo/tests/bug68819_002.phpt2
-rw-r--r--ext/fileinfo/tests/bug68996.phpt2
-rw-r--r--ext/fileinfo/tests/bug71527.magic1
-rw-r--r--ext/fileinfo/tests/bug71527.phpt19
5 files changed, 23 insertions, 3 deletions
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
index c6699d5147..9ea5386ebf 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -403,7 +403,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
size_t len;
if (level >= ms->c.len) {
- len = (ms->c.len += 20) * sizeof(*ms->c.li);
+ len = (ms->c.len = 20 + level) * sizeof(*ms->c.li);
ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
emalloc(len) :
erealloc(ms->c.li, len));
diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt
index cec238d63e..7d5f6c642d 100644
--- a/ext/fileinfo/tests/bug68819_002.phpt
+++ b/ext/fileinfo/tests/bug68819_002.phpt
@@ -12,7 +12,7 @@ $string .= "\r\n";
$string .= "''''";
// Total string length > 8192
-$string .= str_repeat(chr(rand(32, 127)), 8184);
+$string .= str_repeat("a", 8184);
// Ending in this string
$string .= "say";
diff --git a/ext/fileinfo/tests/bug68996.phpt b/ext/fileinfo/tests/bug68996.phpt
index 9fa2190307..214e52fa6f 100644
--- a/ext/fileinfo/tests/bug68996.phpt
+++ b/ext/fileinfo/tests/bug68996.phpt
@@ -19,4 +19,4 @@ finfo_open(FILEINFO_MIME_TYPE, "\xfc\x63");
<br />
<b>Warning</b>: : failed to open stream: No such file or directory in <b>%sbug68996.php</b> on line <b>%d</b><br />
<br />
-<b>Warning</b>: finfo_open(): in <b>%sbug68996.php</b> on line <b>%d</b><br />
+<b>Warning</b>: finfo_open(): Failed to load magic database at '%s�c'. in <b>%sbug68996.php</b> on line <b>%d</b><br />
diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic
new file mode 100644
index 0000000000..14d77817be
--- /dev/null
+++ b/ext/fileinfo/tests/bug71527.magic
@@ -0,0 +1 @@
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> \ No newline at end of file
diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt
new file mode 100644
index 0000000000..f5b1d860e8
--- /dev/null
+++ b/ext/fileinfo/tests/bug71527.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #71527 Buffer over-write in finfo_open with malformed magic file
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+ die('skip no fileinfo extension');
+--ENV--
+USE_ZEND_ALLOC=0
+--FILE--
+<?php
+ $finfo = finfo_open(FILEINFO_NONE, dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug71527.magic");
+ $info = finfo_file($finfo, __FILE__);
+ var_dump($info);
+?>
+--EXPECTF--
+Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d
+
+Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d
+bool(false)
View Lorry Controller Status