Fixed bug #71527 Buffer over-write in finfo_open with malformed magic file

The actual fix is applying the upstream patch from 6713ca45e7
2024-11-30 13:25:43 +08:00 · 2016-03-28 00:45:19 +02:00 · 2016-03-28 00:45:19 +02:00 · fe13566c93
commit fe13566c93
parent 9c19a08b9d
3 changed files with 21 additions and 1 deletions
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@ -414,7 +414,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
 	size_t len;

 	if (level >= ms->c.len) {
-		len = (ms->c.len += 20) * sizeof(*ms->c.li);
+		len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
 		ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
 		    emalloc(len) :
 		    erealloc(ms->c.li, len));
--- a/ext/fileinfo/tests/bug71527.magic
+++ b/ext/fileinfo/tests/bug71527.magic
@ -0,0 +1 @@
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
--- a/ext/fileinfo/tests/bug71527.phpt
+++ b/ext/fileinfo/tests/bug71527.phpt
@ -0,0 +1,19 @@
+--TEST--
+Bug #71527 Buffer over-write in finfo_open with malformed magic file
+--SKIPIF--
+<?php
+if (!class_exists('finfo'))
+	die('skip no fileinfo extension');
+--ENV--
+USE_ZEND_ALLOC=0
+--FILE--
+<?php
+	$finfo = finfo_open(FILEINFO_NONE, dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug71527.magic");
+	$info = finfo_file($finfo, __FILE__);
+	var_dump($info);
+?>
+--EXPECTF--
+Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d
+
+Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d
+bool(false)