|
1 CVE-2014-9652 |
|
2 Community BUG: |
|
3 https://bugs.php.net/bug.php?id=68735 |
|
4 Community CODE: |
|
5 https://bugs.php.net/patch-display.php?bug=68735&patch=bug68735.patch&revision=1420309079 |
|
6 Below is the community patch. |
|
7 |
|
8 |
|
9 diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c |
|
10 index 7e0c856..e7b7855 100644 |
|
11 --- a/ext/fileinfo/libmagic/softmagic.c |
|
12 +++ b/ext/fileinfo/libmagic/softmagic.c |
|
13 @@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) |
|
14 size_t sz = file_pstring_length_size(m); |
|
15 char *ptr1 = p->s, *ptr2 = ptr1 + sz; |
|
16 size_t len = file_pstring_get_length(m, ptr1); |
|
17 - if (len >= sizeof(p->s)) { |
|
18 + sz = sizeof(p->s) - sz; /* maximum length of string */ |
|
19 + if (len >= sz) { |
|
20 /* |
|
21 * The size of the pascal string length (sz) |
|
22 * is 1, 2, or 4. We need at least 1 byte for NUL |
|
23 * termination, but we've already truncated the |
|
24 * string by p->s, so we need to deduct sz. |
|
25 + * Because we can use one of the bytes of the length |
|
26 + * after we shifted as NUL termination. |
|
27 */ |
|
28 - len = sizeof(p->s) - sz; |
|
29 + len = sz; |
|
30 } |
|
31 while (len--) |
|
32 *ptr1++ = *ptr2++; |
|
33 --- /dev/null Sat Jan 3 19:01:50 2015 |
|
34 +++ a/ext/fileinfo/tests/bug68735.phpt Sat Jan 3 18:57:32 2015 |
|
35 @@ -0,0 +1,16 @@ |
|
36 +--TEST-- |
|
37 +Bug #68735 fileinfo out-of-bounds memory access |
|
38 +--SKIPIF-- |
|
39 +<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?> |
|
40 +--FILE-- |
|
41 +<?php |
|
42 + $test_file = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug68735.jpg"; |
|
43 + $f = new finfo; |
|
44 + |
|
45 + var_dump($f->file($test_file)); |
|
46 + |
|
47 +?> |
|
48 +===DONE=== |
|
49 +--EXPECTF-- |
|
50 +string(%d) "JPEG image data, JFIF standard 1.01, comment: "%S"" |
|
51 +===DONE=== |