20192108 problem in UTILITY/PHP
20231115 problem in UTILITY/PHP
20936509 problem in UTILITY/PHP
20804024 problem in UTILITY/PHP
20804061 problem in UTILITY/PHP
20804135 problem in UTILITY/PHP
20804363 problem in UTILITY/PHP
20804424 problem in UTILITY/PHP
20433657 problem in UTILITY/PHP
20803998 problem in UTILITY/PHP
20804391 problem in UTILITY/PHP
CVE-2014-3710
Community BUG:
https://bugs.php.net/bug.php?id=68283
Community CODE:
http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d
really:
https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0
This patch was created from the community reports above.
--- php-5.3.29/ext/fileinfo/libmagic/readelf.c_orig 2015-06-12 14:26:23.865377086 -0700
+++ php-5.3.29/ext/fileinfo/libmagic/readelf.c 2015-06-12 14:29:09.089820837 -0700
@@ -368,6 +368,13 @@
#endif
uint32_t namesz, descsz;
+ if (xnh_sizeof + offset > size) {
+ /*
+ * We're out of note headers.
+ */
+ return xnh_sizeof + offset;
+ }
+
(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
offset += xnh_sizeof;