]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 52f0498)
Fix libmagic buffer overflow issue (CVE-2019-18218)
authorStanislav Malyshev <stas@php.net>
Sun, 27 Oct 2019 23:30:38 +0000 (16:30 -0700)
committerStanislav Malyshev <stas@php.net>
Sun, 27 Oct 2019 23:30:38 +0000 (16:30 -0700)
Ported from https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84

ext/fileinfo/libmagic/cdf.c patch | blob | history
ext/fileinfo/libmagic/cdf.h patch | blob | history

diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 28084fbe4477303d149073b1cc338ceb552425b2..01af1e4eda92921fb621e7134ade3d4576b2a654 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -872,8 +872,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
                if (inp[i].pi_type & CDF_VECTOR) {
                        nelements = CDF_GETUINT32(q, 1);
-                       if (nelements == 0) {
-                               DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+                       if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
+                               DPRINTF(("CDF_VECTOR with nelements == %"
+                                   SIZE_T_FORMAT "u\n", nelements));
                                goto out;
                        }
                        o = 2;
@@ -948,8 +949,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                                *info = inp;
                                inp = *info + nelem;
                        }
-                       DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
-                           nelements));
                        for (j = 0; j < nelements && i < sh.sh_properties;
                            j++, i++)
                        {
diff --git a/ext/fileinfo/libmagic/cdf.h b/ext/fileinfo/libmagic/cdf.h
index 9006a686efed4f9ce275505efb242b3020884dca..6ad5bceb75db7446a2630fb5b319789b7a74a917 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.h
+++ b/ext/fileinfo/libmagic/cdf.h
@@ -50,6 +50,7 @@
 typedef int32_t cdf_secid_t;
 
 #define CDF_LOOP_LIMIT                                 10000
+#define CDF_ELEMENT_LIMIT                              100000
 
 #define CDF_SECID_NULL                                 0
 #define CDF_SECID_FREE                                 -1
Unnamed repository; edit this file 'description' to name the repository.