From 9603f16f995154a858d7e0b31eff3a9b79f88ff7 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Sun, 8 Mar 2015 13:09:58 +0100
Subject: [PATCH] catch up with the previous cve-2014-3538 patch

---
 ext/fileinfo/libmagic/softmagic.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index ef819c2e36..9ac177c0e9 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -1081,7 +1081,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 			const char *last;	/* end of search region */
 			const char *buf;	/* start of search region */
 			const char *end;
-			size_t lines, linecnt, bytecnt;
+			size_t lines, linecnt, bytecnt, bytecnt_max;
 
 			if (s == NULL) {
 				ms->search.s_len = 0;
@@ -1097,8 +1097,15 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 				bytecnt = m->str_range;
 			}
 
-			if (bytecnt == 0 || bytecnt > nbytes - offset)
-				bytecnt = nbytes - offset;
+			/* XXX bytecnt_max is to be kept for PHP, see cve-2014-3538.
+				PCRE might stuck if the input buffer is too big. To ensure
+				the correctness, the check for bytecnt > nbytes is also
+				kept (might be abundant). */
+			bytecnt_max = nbytes - offset;
+			bytecnt_max = bytecnt_max > (1 << 14) ? (1 << 14) : bytecnt_max;
+			bytecnt_max = bytecnt > nbytes ? nbytes : bytecnt_max;
+			if (bytecnt == 0 || bytecnt > bytecnt_max)
+				bytecnt = bytecnt_max;
 
 			buf = RCAST(const char *, s) + offset;
 			end = last = RCAST(const char *, s) + bytecnt;
-- 
2.40.0