scottmac Thu Nov 6 02:58:15 2008 UTC Modified files: /php-src/ext/fileinfo/libmagic funcs.c softmagic.c Log: Fix buffer overread in libmagic and sync a skipped change from 4.26 http://cvs.php.net/viewvc.cgi/php-src/ext/fileinfo/libmagic/funcs.c?r1=1.8&r2=1.9&diff_format=u Index: php-src/ext/fileinfo/libmagic/funcs.c diff -u php-src/ext/fileinfo/libmagic/funcs.c:1.8 php-src/ext/fileinfo/libmagic/funcs.c:1.9 --- php-src/ext/fileinfo/libmagic/funcs.c:1.8 Sun Sep 7 20:29:54 2008 +++ php-src/ext/fileinfo/libmagic/funcs.c Thu Nov 6 02:58:14 2008 @@ -151,6 +151,7 @@ { int m; int mime = ms->flags & MAGIC_MIME; + const unsigned char *ubuf = buf; if (nb == 0) { if ((!mime || (mime & MAGIC_MIME_TYPE)) && @@ -182,15 +183,15 @@ #if PHP_FILEINFO_UNCOMPRESS /* try compression stuff */ if ((ms->flags & MAGIC_NO_CHECK_COMPRESS) != 0 || - (m = file_zmagic(ms, stream, inname, buf, nb)) == 0) + (m = file_zmagic(ms, stream, inname, ubuf, nb)) == 0) #endif { /* Check if we have a tar file */ - if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m = file_is_tar(ms, buf, nb)) == 0) { + if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m = file_is_tar(ms, ubuf, nb)) == 0) { /* try tests in /etc/magic (or surrogate magic file) */ - if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m = file_softmagic(ms, buf, nb, BINTEST)) == 0) { + if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m = file_softmagic(ms, ubuf, nb, BINTEST)) == 0) { /* try known keywords, check whether it is ASCII */ - if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 || (m = file_ascmagic(ms, buf, nb)) == 0) { + if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 || (m = file_ascmagic(ms, ubuf, nb)) == 0) { /* abandon hope, all ye who remain here */ if ((!mime || (mime & MAGIC_MIME_TYPE)) && file_printf(ms, mime ? "application/octet-stream" : "data") == -1) { return -1; @@ -210,7 +211,7 @@ * information from the ELF headers that cannot easily * be extracted with rules in the magic file. */ - (void)file_tryelf(ms, stream, buf, nb); + (void)file_tryelf(ms, stream, ubuf, nb); } #endif return m; http://cvs.php.net/viewvc.cgi/php-src/ext/fileinfo/libmagic/softmagic.c?r1=1.8&r2=1.9&diff_format=u Index: php-src/ext/fileinfo/libmagic/softmagic.c diff -u php-src/ext/fileinfo/libmagic/softmagic.c:1.8 php-src/ext/fileinfo/libmagic/softmagic.c:1.9 --- php-src/ext/fileinfo/libmagic/softmagic.c:1.8 Sun Nov 2 16:09:27 2008 +++ php-src/ext/fileinfo/libmagic/softmagic.c Thu Nov 6 02:58:14 2008 @@ -185,8 +185,8 @@ if (file_check_mem(ms, ++cont_level) == -1) return -1; - while (magic[magindex+1].cont_level != 0 && - ++magindex < nmagic) { + while (magindex < nmagic - 1 && magic[magindex + 1].cont_level != 0) { + magindex++; m = &magic[magindex]; ms->line = m->lineno; /* for messages */ @@ -783,6 +783,7 @@ const char *c; const char *last; /* end of search region */ const char *buf; /* start of search region */ + const char *end; size_t lines; if (s == NULL) { @@ -791,10 +792,10 @@ return 0; } buf = (const char *)s + offset; - last = (const char *)s + nbytes; + end = last = (const char *)s + nbytes; /* mget() guarantees buf <= last */ for (lines = linecnt, b = buf; - lines && ((b = strchr(c = b, '\n')) || (b = strchr(c, '\r'))); + lines && ((b = memchr(c = b, '\n', end - b)) || (b = memchr(c, '\r', end - c))); lines--, b++) { last = b; if (b[0] == '\r' && b[1] == '\n')
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php