From aeabea4aa91af64db1fa1a592b92496fb5e293ba Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Sun, 29 Mar 2015 17:42:59 +0200 Subject: [PATCH] Fixed bug #69320 libmagic crash when running laravel tests Basically reverted the part of the new patch to what we have in 5.6 as the current change seems to have bad side effects. Hovere the in buffer used for PCRE is still doubled (1 << 14), this might or might not be optimal, so lets observe. --- ext/fileinfo/libmagic/softmagic.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index 9ac177c0e9..ddf7370b50 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1081,7 +1081,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, const char *last; /* end of search region */ const char *buf; /* start of search region */ const char *end; - size_t lines, linecnt, bytecnt, bytecnt_max; + size_t lines, linecnt, bytecnt; if (s == NULL) { ms->search.s_len = 0; @@ -1089,23 +1089,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, return 0; } - if (m->str_flags & REGEX_LINE_COUNT) { - linecnt = m->str_range; - bytecnt = linecnt * 80; - } else { - linecnt = 0; - bytecnt = m->str_range; + /* bytecnt checks are to be kept for PHP, see cve-2014-3538. + PCRE might get stuck if the input buffer is too big. */ + linecnt = m->str_range; + bytecnt = linecnt * 80; + + if (bytecnt == 0) { + bytecnt = 1 << 14; } - /* XXX bytecnt_max is to be kept for PHP, see cve-2014-3538. - PCRE might stuck if the input buffer is too big. To ensure - the correctness, the check for bytecnt > nbytes is also - kept (might be abundant). */ - bytecnt_max = nbytes - offset; - bytecnt_max = bytecnt_max > (1 << 14) ? (1 << 14) : bytecnt_max; - bytecnt_max = bytecnt > nbytes ? nbytes : bytecnt_max; - if (bytecnt == 0 || bytecnt > bytecnt_max) - bytecnt = bytecnt_max; + if (bytecnt > nbytes) { + bytecnt = nbytes; + } buf = RCAST(const char *, s) + offset; end = last = RCAST(const char *, s) + bytecnt; -- 2.40.0