Fixed Bug #67410 fileinfo: mconvert incorrect handling of truncated pascal string...

author Remi Collet <remi@php.net>

Tue, 10 Jun 2014 12:02:36 +0000 (14:02 +0200)

committer Stanislav Malyshev <stas@php.net>

Fri, 18 Jul 2014 23:17:36 +0000 (16:17 -0700)
author Remi Collet <remi@php.net>
Tue, 10 Jun 2014 12:02:36 +0000 (14:02 +0200)
committer Stanislav Malyshev <stas@php.net>
Fri, 18 Jul 2014 23:17:36 +0000 (16:17 -0700)
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c

index f9c2836dd26bacc9e8e26f8938eabae7f47ce3e5..e59898183959da5be85275704c2345355f2b46b3 100644 (file)
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -777,10 +777,18 @@ mconvert(struct magic_set *ms, struct magic *m)
                 return 1;
         }
         case FILE_PSTRING: {
-               char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
+               size_t sz = file_pstring_length_size(m);
+               char *ptr1 = p->s, *ptr2 = ptr1 + sz;
                 size_t len = file_pstring_get_length(m, ptr1);
-               if (len >= sizeof(p->s))
-                       len = sizeof(p->s) - 1;
+               if (len >= sizeof(p->s)) {
+                       /*
+                        * The size of the pascal string length (sz)
+                        * is 1, 2, or 4. We need at least 1 byte for NUL
+                        * termination, but we've already truncated the
+                        * string by p->s, so we need to deduct sz.
+                        */ 
+                       len = sizeof(p->s) - sz;
+               }
                 while (len--)
                         *ptr1++ = *ptr2++;
                 *ptr1 = '\0';
author	Remi Collet <remi@php.net>
	Tue, 10 Jun 2014 12:02:36 +0000 (14:02 +0200)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 18 Jul 2014 23:17:36 +0000 (16:17 -0700)