diff options
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 2 |
2 files changed, 5 insertions, 4 deletions
@@ -6,7 +6,7 @@ PHP NEWS . Fixed bug #47358 (glob returns error, should be empty array()). (Pierre) - OpenSSL: - . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads) + . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads). (Daniel Lowrey). - SPL: @@ -14,7 +14,7 @@ PHP NEWS wrong message). (tim_siebels_aurich at yahoo dot de) - Date: - . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + . Fixed bug #66091 (memory leaks in DateTime constructor). (Tjerk). ?? ??? 2014, PHP 5.5.16 @@ -26,6 +26,7 @@ PHP NEWS - Fileinfo: . Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538) (Remi) + . Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi) - FPM: . Fixed bug #67635 (php links to systemd libraries without using pkg-config). @@ -39,7 +40,7 @@ PHP NEWS . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike) - OpenSSL: - . Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas). + . Fixed missing type checks in OpenSSL options. (Yussuf Khalil, Stas) - readline: . Fixed bug #55496 (Interactive mode doesn't force a newline before the diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 429f3b952f..2c0a2d9dfc 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, q = (const uint8_t *)(const void *) ((const char *)(const void *)p + ofs - 2 * sizeof(uint32_t)); - if (q > e) { + if (q < p || q > e) { DPRINTF(("Ran of the end %p > %p\n", q, e)); goto out; } |