Fixed Bug #66987 Memory corruption in fileinfo ext (bigendian)

On little endian:
	map->p == php_magic_database
	map->magic[i] = pointer into the map

	map->p == NULL
	map->magic[i] = pointer to allocated memory

On big endian (ppc64, s390x, ...):
	map->p != php_magic_database and map->p != NULL
        map->magic[i] = pointer into a copy of the map

Trying to efree pointer in the later cause memory corruption
Thanks to dkatulek / Red Hat for the report.

diff --git a/ext/fileinfo/libmagic/apprentice.c b/ext/fileinfo/libmagic/apprentice.c
index 11920e658917533c1a43045969310882c5636a4c..fd82564bff79f893a5c89187a38ea66ab1759d53 100644 (file)
--- a/ext/fileinfo/libmagic/apprentice.c
+++ b/ext/fileinfo/libmagic/apprentice.c
@@ -493,12 +493,14 @@ apprentice_unmap(struct magic_map *map)
        if (map == NULL)
                return;
        if (map->p != php_magic_database) {
-               int j;
-               for (j = 0; j < MAGIC_SETS; j++) {
-                       if (map->magic[j])
-                               efree(map->magic[j]);
-               }
-               if (map->p != NULL) {
+               if (map->p == NULL) {
+                       int j;
+                       for (j = 0; j < MAGIC_SETS; j++) {
+                               if (map->magic[j]) {
+                                       efree(map->magic[j]);
+                               }
+                       }
+               } else {
                        efree(map->p);
                }
        }