archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-7.4'

Browse source 
* PHP-7.4:
  Fix libmagic buffer overflow issue (CVE-2019-18218)
  bump version
  set versions for release
This commit is contained in:
Stanislav Malyshev 2019-10-28 20:47:57 -07:00
commit 39bf35ca87
2 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
ext/fileinfo/libmagic/cdf.c
View file

@ -995,8 +995,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
}
nelements = CDF_GETUINT32(q, 1);
if (nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == %"
SIZE_T_FORMAT "u\n", nelements));
goto out;
}
slen = 2;
@ -1038,8 +1039,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
inp += nelem;
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{

1
ext/fileinfo/libmagic/cdf.h
View file

@ -48,6 +48,7 @@
typedef int32_t cdf_secid_t;
#define CDF_LOOP_LIMIT 10000
#define CDF_ELEMENT_LIMIT 100000
#define CDF_SECID_NULL 0
#define CDF_SECID_FREE -1