From: Scott MacVicar Date: Thu, 6 Nov 2008 02:58:14 +0000 (+0000) Subject: Fix buffer overread in libmagic and sync a skipped change from 4.26 X-Git-Tag: BEFORE_HEAD_NS_CHANGE~72 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ca77d8ae3129825774fb2dc3a1d0547d585e2feb;p=php Fix buffer overread in libmagic and sync a skipped change from 4.26 --- diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c index b4e662ebbf..9b0b13d615 100644 --- a/ext/fileinfo/libmagic/funcs.c +++ b/ext/fileinfo/libmagic/funcs.c @@ -151,6 +151,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const { int m; int mime = ms->flags & MAGIC_MIME; + const unsigned char *ubuf = buf; if (nb == 0) { if ((!mime || (mime & MAGIC_MIME_TYPE)) && @@ -182,15 +183,15 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const #if PHP_FILEINFO_UNCOMPRESS /* try compression stuff */ if ((ms->flags & MAGIC_NO_CHECK_COMPRESS) != 0 || - (m = file_zmagic(ms, stream, inname, buf, nb)) == 0) + (m = file_zmagic(ms, stream, inname, ubuf, nb)) == 0) #endif { /* Check if we have a tar file */ - if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m = file_is_tar(ms, buf, nb)) == 0) { + if ((ms->flags & MAGIC_NO_CHECK_TAR) != 0 || (m = file_is_tar(ms, ubuf, nb)) == 0) { /* try tests in /etc/magic (or surrogate magic file) */ - if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m = file_softmagic(ms, buf, nb, BINTEST)) == 0) { + if ((ms->flags & MAGIC_NO_CHECK_SOFT) != 0 || (m = file_softmagic(ms, ubuf, nb, BINTEST)) == 0) { /* try known keywords, check whether it is ASCII */ - if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 || (m = file_ascmagic(ms, buf, nb)) == 0) { + if ((ms->flags & MAGIC_NO_CHECK_ASCII) != 0 || (m = file_ascmagic(ms, ubuf, nb)) == 0) { /* abandon hope, all ye who remain here */ if ((!mime || (mime & MAGIC_MIME_TYPE)) && file_printf(ms, mime ? "application/octet-stream" : "data") == -1) { return -1; @@ -210,7 +211,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const * information from the ELF headers that cannot easily * be extracted with rules in the magic file. */ - (void)file_tryelf(ms, stream, buf, nb); + (void)file_tryelf(ms, stream, ubuf, nb); } #endif return m; diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index bfe5fffd30..0950905007 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -185,8 +185,8 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, if (file_check_mem(ms, ++cont_level) == -1) return -1; - while (magic[magindex+1].cont_level != 0 && - ++magindex < nmagic) { + while (magindex < nmagic - 1 && magic[magindex + 1].cont_level != 0) { + magindex++; m = &magic[magindex]; ms->line = m->lineno; /* for messages */ @@ -783,6 +783,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, const char *c; const char *last; /* end of search region */ const char *buf; /* start of search region */ + const char *end; size_t lines; if (s == NULL) { @@ -791,10 +792,10 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, return 0; } buf = (const char *)s + offset; - last = (const char *)s + nbytes; + end = last = (const char *)s + nbytes; /* mget() guarantees buf <= last */ for (lines = linecnt, b = buf; - lines && ((b = strchr(c = b, '\n')) || (b = strchr(c, '\r'))); + lines && ((b = memchr(c = b, '\n', end - b)) || (b = memchr(c, '\r', end - c))); lines--, b++) { last = b; if (b[0] == '\r' && b[1] == '\n')