diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-10-28 20:47:50 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-10-28 20:47:50 -0700 |
| commit | 53b1d76144b27e9788a342d68c98a5aad72c5b14 (patch) | |
| tree | 572873b90ed15a85d18cbe8c3e5a16fc011f2eed | |
| parent | 3fb42a382cdd64015375eec4c3a8d708ea17a06b (diff) | |
| parent | 8c2b3b056857a1d3c049f7adacf082a0941bfa62 (diff) | |
| download | php-git-53b1d76144b27e9788a342d68c98a5aad72c5b14.tar.gz | |
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3:
Fix libmagic buffer overflow issue (CVE-2019-18218)
bump version
set versions for release
| -rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 7 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/cdf.h | 1 |
2 files changed, 4 insertions, 4 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 28427dfb64..cdf273eda6 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -995,8 +995,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; } nelements = CDF_GETUINT32(q, 1); - if (nelements == 0) { - DPRINTF(("CDF_VECTOR with nelements == 0\n")); + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == %" + SIZE_T_FORMAT "u\n", nelements)); goto out; } slen = 2; @@ -1038,8 +1039,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; inp += nelem; } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h index a491528189..07f1dd8c15 100644 --- a/ext/fileinfo/libmagic/cdf.h +++ b/ext/fileinfo/libmagic/cdf.h @@ -48,6 +48,7 @@ typedef int32_t cdf_secid_t; #define CDF_LOOP_LIMIT 10000 +#define CDF_ELEMENT_LIMIT 100000 #define CDF_SECID_NULL 0 #define CDF_SECID_FREE -1 |