scottmacThu Nov 6 03:00:04 2008 UTC
Modified files: (Branch: PHP_5_3)
/php-src/ext/fileinfo/libmagic funcs.c softmagic.c
Log:
MFH: Fix buffer overread in libmagic and sync a skipped change from 4.26
http://cvs.php.net/viewvc.cgi/php-src/ext/fileinfo/libmagic/funcs.c?r1=1.3.2.5&r2=1.3.2.6&diff_format=u
Index: php-src/ext/fileinfo/libmagic/funcs.c
diff -u php-src/ext/fileinfo/libmagic/funcs.c:1.3.2.5
php-src/ext/fileinfo/libmagic/funcs.c:1.3.2.6
--- php-src/ext/fileinfo/libmagic/funcs.c:1.3.2.5 Mon Sep 1 18:56:06 2008
+++ php-src/ext/fileinfo/libmagic/funcs.c Thu Nov 6 03:00:04 2008
@@ -151,6 +151,7 @@
{
int m;
int mime = ms->flags & MAGIC_MIME;
+ const unsigned char *ubuf = buf;
if (nb == 0) {
if ((!mime || (mime & MAGIC_MIME_TYPE)) &&
@@ -182,15 +183,15 @@
#if PHP_FILEINFO_UNCOMPRESS
/* try compression stuff */
if ((ms->flags & MAGIC_NO_CHECK_COMPRESS) != 0 ||
- (m = file_zmagic(ms, stream, inname, buf, nb)) == 0)
+ (m = file_zmagic(ms, stream, inname, ubuf, nb)) == 0)
#endif
{
/* Check if we have a tar file */
- if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m =
file_is_tar(ms, buf, nb)) == 0) {
+ if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m =
file_is_tar(ms, ubuf, nb)) == 0) {
/* try tests in /etc/magic (or surrogate magic file) */
- if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m =
file_softmagic(ms, buf, nb, BINTEST)) == 0) {
+ if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m =
file_softmagic(ms, ubuf, nb, BINTEST)) == 0) {
/* try known keywords, check whether it is
ASCII */
- if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 ||
(m = file_ascmagic(ms, buf, nb)) == 0) {
+ if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 ||
(m = file_ascmagic(ms, ubuf, nb)) == 0) {
/* abandon hope, all ye who remain here
*/
if ((!mime || (mime & MAGIC_MIME_TYPE))
&& file_printf(ms, mime ? "application/octet-stream" : "data") == -1) {
return -1;
@@ -211,7 +212,7 @@
* information from the ELF headers that cannot easily
* be extracted with rules in the magic file.
*/
- (void)file_tryelf(ms, stream, buf, nb);
+ (void)file_tryelf(ms, stream, ubuf, nb);
}
#endif
return m;
http://cvs.php.net/viewvc.cgi/php-src/ext/fileinfo/libmagic/softmagic.c?r1=1.1.2.7&r2=1.1.2.8&diff_format=u
Index: php-src/ext/fileinfo/libmagic/softmagic.c
diff -u php-src/ext/fileinfo/libmagic/softmagic.c:1.1.2.7
php-src/ext/fileinfo/libmagic/softmagic.c:1.1.2.8
--- php-src/ext/fileinfo/libmagic/softmagic.c:1.1.2.7 Sun Nov 2 16:13:49 2008
+++ php-src/ext/fileinfo/libmagic/softmagic.c Thu Nov 6 03:00:04 2008
@@ -185,8 +185,8 @@
if (file_check_mem(ms, ++cont_level) == -1)
return -1;
- while (magic[magindex+1].cont_level != 0 &&
- ++magindex < nmagic) {
+ while (magindex < nmagic - 1 && magic[magindex + 1].cont_level
!= 0) {
+ magindex++;
m = &magic[magindex];
ms->line = m->lineno; /* for messages */
@@ -783,6 +783,7 @@
const char *c;
const char *last; /* end of search region */
const char *buf;/* start of search region */
+ const char *end;
size_t lines;
if (s == NULL) {
@@ -791,10 +792,10 @@
return 0;
}
buf = (const char *)s + offset;
- last = (const char *)s + nbytes;
+ end = last = (const char *)s + nbytes;
/* mget() guarantees buf <= last */
for (lines = linecnt, b = buf;
-lines && ((b = strchr(c = b, '\n')) || (b =
strchr(c, '\r')));
+lines && ((b = memchr(c = b, '\n', end - b)) || (b
= memchr(c, '\r', end - c)));
lines--, b++) {
last = b;
if (b[0] == '\r' && b[1] == '\n')
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php